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Abstract.  Abstraction  reduces  the  problem  of  whether  an  infinite  state  system  satisfies 
a  temporal  logic  property  to  model  checking  that  property  on  a  finite  state  abstract 
version.  The  most  common  abstractions  are  quotients  of  the  original  system.  We  present 
a  simple  method  of  defining  quotient  abstractions  by  means  of  equations  collapsing  the 
set  of  states.  Our  method  yields  the  minimal  quotient  system  together  with  a  set  of  proof 
obligations  that  guarantee  its  executability  and  can  be  discharged  with  tools  such  as 
those  in  the  Maude  formal  environment. 


1  Introduction 

Abstraction  techniques  (see  for  example  [1,2,8-10,14,16,24,26,27,29,30,36,38,39])  allow 
reducing  the  problem  of  whether  an  infinite  state  system,  or  a  finite  but  too  large  one,  satisfies 
a  temporal  logic  property  to  model  checking  that  property  on  a  finite  state  abstract  version. 
The  most  common  way  of  defining  such  abstractions  is  by  defining  a  quotient  of  the  original 
system's  set  of  states,  together  with  abstract  versions  of  the  transitions  and  the  predicates. 
Many  methods  differ  in  their  details  but  agree  on  their  general  use  of  a  quotient  map.  There 
is  always  a  minimal  system  (Kripke  structure)  making  this  quotient  map  a  simulation. 

We  present  a  simple  method  to  build  minimal  quotient  abstractions  in  an  equational 
way.  The  method  assumes  that  the  concurrent  system  has  been  specified  by  means  of  a 
rewrite  theory  R  =  (E,  E,  R),  with  (E,  E)  an  equational  theory  specifying  the  set  of  states  as  an 
algebraic  data  type,  and  R  specifying  the  system's  transitions  as  a  set  of  rewrite  rules.  The 
method  consists  in  adding  more  equations,  say  £',  to  get  a  quotient  system  specified  by  the 
rewrite  theory  R/E'  =  (E,  E  U  £',  R).  We  call  such  a  system  an  equational  abstraction  of  R.  This 
equational  abstraction  is  useful  for  model  checking  purposes  if: 

1.  R/E'  is  an  executable  rewrite  theory  in  an  appropriate  sense;  and 

2.  the  state  predicates  are  preserved  by  the  quotient  simulation. 

Requirements  1  and  2  are  proof  obligations  that  can  be  discharged  by  theorem  proving  methods. 

Our  approach  can  be  mechanized  using  the  rewriting  logic  language  Maude  [11, 12]  and 
its  associated  LTL  model  checker  [22],  inductive  theorem  prover  [13],  Church-Rosser  checker 
[19],  termination  tool  [21],  coherence  checker  [20],  and  sufficient  completeness  checker  [25]. 
Our  present  experience  with  case  studies,  involving  different  abstractions  discussed  in  the 
literature,  suggests  a  fairly  wide  applicability  for  this  method. 

After  summarizing  prerequisites  on  Kripke  structures  and  linear  temporal  logic  (LTL)  in 
Section  2  and  discussing  simulations  in  Section  3,  we  explain  in  Section  4  how  a  concurrent 
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system  specified  by  a  rewrite  theory  R  has  an  associated  Kripke  structure  giving  semantics 
to  its  LTL  properties;  we  also  explain  how  Maude  can  model  check  such  LTL  properties  for 
initial  states  from  which  finitely  many  states  are  reachable.  Equational  abstractions  and  their 
associated  proof  methods  are  discussed  in  Sections  5  and  6.  Section  7  presents  some  case 
studies,  and  Section  8  discusses  related  work  and  future  research.  A  more  complex  example 
is  presented  in  Appendix  A;  more  details  about  a  collection  of  case  studies  using  this  method 
can  be  found  in  [35]. 

2  Prerequisites  on  Kripke  Structures  and  LTL 

To  specify  the  properties  of  interest  about  our  systems  we  will  use  linear  temporal  logic,3  which 
is  interpreted  in  a  standard  way  in  Kripke  structures.  In  what  follows,  we  assume  a  fixed  set 
of  atomic  propositions  AP. 

Definition  1.  A  Kripke  structure  is  a  triple  bA  =  {A,  — L#),  zvhere  A  is  a  set  of  states,  — c 
Ax  A  is  a  total  transition  relation,  and  :  A  —>  P(AP)  is  a  labeling  function  associating  to  each 
state  the  set  of  atomic  propositions  that  hold  in  it. 

We  will  use  the  notation  a  — yyj  b  to  say  that  (a,  b)  e  — Note  that  the  transition  relation 
must  be  total,  that  is,  for  each  a  £  A  there  is  a  b  £  A  such  that  a  — b.  Given  an  arbitrary 
relation  — we  write  — >*  for  the  total  relation  that  extends  — »  by  adding  a  pair  a  — »*  a  for  each 
a  such  that  there  is  no  b  with  a  —>  b.  A  path  in  a  Kripke  structure  A  is  a  function  n  :  N  — »  A 

such  that,  for  each  i  e  N,  n(i)  —*&  n(i  +  1).  We  use  n‘  to  refer  to  the  suffix  of  n  starting  at  n(i); 

explicitly,  n\n)  =  n(i  +  n). 

The  syntax  of  LTL(/\P)  is  given  by  the  following  grammar: 

(p  =  p  <=AP\T  |  <p  V  (p\^(p\0(p\cpfU(p. 

The  semantics  of  LTL(AP)  is  defined  as  follows.  Given  a  Kripke  structure  A  =  (A,  —*$i, 
Lj? i)  and  an  element  a  £  A, 

bA ,a\=  cp  <=>  bA,n\=  cp  for  all  paths  n  such  that  ti(0)  =  a , 

where  the  satisfaction  relation  bA,  n  |=  (p  is  defined  by  structural  induction  on  cp: 

bA,n\=p  <==>  p  e  L(n( 0)) 

bA,  n  |=  T  <=>  true 

bA,  n  [=  cp  V  ip  <==>  bA,  7i  [=  cp  or  bA,  n  [=  if 

bA,n\=  ^cp  <=>  bA,n^  cp 

bA,  n  (=  O  cp  <==>  bA,  7I1  |=  cp 

bA,n  \=  (pit  f  <=>  there  exists  n  e  N  such  that  bA,  n"  [=  ip  and, 
for  all  m  <  n,  bA,  nm  1=  cp 

Other  Boolean  and  temporal  operators  (e.g.,  ±,  A,  -4,  □,  O,  R,  and  can  be  defined  as 
syntactic  sugar. 

It  is  sometimes  useful  to  restrict  ourselves  to  the  negation-free  fragment  LTL“(AP)  of 
LTL(AP),  defined  as  follows: 

cp  =  p  e  AP  |  T  |  ±|  cpv  cp  |  cp  Acp  |  Ocp  |  cpllcp  \  cpRcp . 

3  The  choice  of  LTL  is  not  essential:  our  main  results  and  techniques  apply  also  to  the  universal 
fragment  ACTL*  of  CTL*  [10];  we  use  LTL  as  a  core  logic  for  the  exposition  because  it  is  the  logic 
supported  by  the  Maude  system  used  in  our  case  studies. 
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Negation  is  no  longer  available  in  LTL-,  and  therefore  the  duals  of  the  basic  operators 
must  be  considered  as  basic  ones,  too.  Since  LTL-  is  a  sublogic  of  LTL,  its  semantics  is  the 
same.  Furthermore,  in  a  very  practical  sense  there  is  no  real  loss  of  generality  by  restricting 
ourselves  to  formulas  in  LTL-,  because  we  can  always  transform  any  LTL  formula  (p  into  a 
semantically  equivalent  LTL-  formula  <p.  For  that,  we  consider  the  extended  set  of  atomic 
propositions  AP  =  AP  U  AP,  where  AP  =  {p  \  p  £  AP ),  and  construct  c p  by  first  forming  the 
negation  normal  form  of  cp  (i.e.,  all  negations  are  pushed  to  the  atoms),  and  then  replacing 
each  negated  atom  ->p  by  p.  Given  PR  =  (A,  — y^L^),  we  define  R  =  (A,  — »? i,L~)  where 
Lyj(fl)  =  LRa)  U  {p  e  AP  \  p  £  L^(a)}.  Then  we  have,  PR,  a  |=  cp  <=>  R,n\=  <p. 

3  Simulations 

We  present  a  notion  of  simulation  similar  to  that  in  [10],  but  somewhat  more  general  (simu¬ 
lations  in  [10]  essentially  correspond  to  our  strict  simulations). 

Definition  2.  Given  Kripke  structures  PR  -  (A,  — |)  and  IB  =  (B,  -*$,L$),  both  hai’ing  the 
same  set  AP  of  atomic  propositions,  an  AP-simulation  H  :  PR  — >  IB  of  PR  by  IB  is  given  by  a  total 
binary  relation  H  c  A  X  B  such  that: 

-  if  a  — a'  and  aHb,  then  there  is  b'  e  B  such  that  b  b'  and  a'Hb' ,  and 

-  if  aHb,  then  L${b)  c  L^(a). 

If  the  relation  H  is  a  function,  then  zve  call  H  an  AP-simulation  map.  If  both  H  and  H-1  are  AP- 
simulations,  then  zve  call  H  an  AP-bisimulation.  Also  zve  call  H  strict  if  aHb  implies  L$(b)  =  L^(fl). 
Note  that  all  AP -bisimulations  are  strict. 

The  first  condition  guarantees  that  for  each  concrete  path  in  R  there  is  a  corresponding 
abstract  path  in  IB;  the  second  condition  guarantees  that  an  abstract  state  in  '£  can  satisfy 
only  those  atomic  propositions  that  hold  in  all  the  concrete  states  in  R  that  it  simulates. 

Definition  3.  An  AP-simulation  H  :  R  — >  '£  reflects  the  satisfaction  of  a  formula  cp  e  LTL(AP) 
iff  IB,  b  \=  cp  and  aHb  imply  R,  a  \=  cp. 

Theorem  1.  AP -simulations  alzvays  reflect  satisfaction  of  LTL~(AP)  formulas.  In  addition,  strict 
AP -simulations  also  reflect  satisfaction  of  LTL(AP)  formidas. 

Proof.  Let  H  :  R  — >  IB  be  a  simulation.  We  extend  H  to  paths  by  defining  nHp  if  tz (i)Hp(i)  for 
every  i  e  IN.  The  theorem  is  then  an  easy  consequence  of  the  following  two  results,  which  can 
be  proved  by  induction  on  the  length  of  the  path  and  by  structural  induction  on  formulas, 
respectively: 

1.  if  aHb  and  ti  is  a  path  in  R  starting  at  a,  then  there  is  a  path  p  in  IB  starting  at  b  and  such 
that  nHp,  and 

2.  if  aHb,  n  starts  at  a,  p  starts  at  b,  and  nHp,  then  IB,  p  \=  cp  implies  R,  n  \=  (p;  furthermore, 

this  implication  becomes  an  equivalence  for  strict  simulations.  □ 

Theorem  1  also  holds  for  ACTL*  formulas  and,  in  that  more  general  formulation,  slightly 
generalizes  Theorem  16  in  [10]. 

This  theorem  is  the  key  basis  for  the  method  of  model  checking  by  abstraction:  given  an 
infinite  (or  too  large)  system  AT,  find  a  system  R  with  a  finite  set  of  reachable  states  that 
simulates  it  and  use  model  checking  to  try  to  prove  that  (p  holds  in  R;  then,  by  Theorem  1, 
(p  also  holds  in  AL  In  general,  however,  we  typically  only  have  our  concrete  system  At  and 
a  surjective  function  h  :  M  — >  A  mapping  concrete  states  to  a  simplified  (usually  with  a 
finite  set  of  reachable  states)  abstract  domain  A.  In  these  cases  there  is  a  canonical  way  of 
constructing  a  Kripke  structure  out  of  h  in  such  a  way  that  h  becomes  a  simulation. 
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Definition  4.  The  minimal  system  Al/jn  corresponding  to  Ai  and  the  surjective  function  h  : 
M  — »  A  is  given  by  the  triple  ( A,(h  x  /;)(— ),  where  (h  X  h){-^ff)  is  the  image  of 

min 

through  h  and  LM„  ( a )  =  ijuW' 

The  following  proposition  is  an  immediate  consequence  of  the  definitions. 

Proposition  1.  For  all  such  Ai  and  h,  h  :  Ai  — »  A/hn  *s  a  simulation  map. 

Minimal  systems  can  also  be  seen  as  quotients.  Let  J\  =  (A,  — Lyf  be  a  Kripke  structure 
on  AP,  and  let  =  be  an  arbitrary  equivalence  relation  on  A.  We  can  use  =  to  define  a  new 
Kripke  structure,  yi/=  =  {A/=,  —r^/=,L^/=),  where: 

-  [fli]  — >3n=  [fl2]  iff  there  exist  aj  £  [a\\  and  a'2  £  [af\  such  that  aj  a'2; 

-  La /=([«])  =  fl xm  LtiM- 

It  is  then  trivial  to  check  that  the  projection  map  to  equivalence  classes  q=  :  a  i— »  [fl]  is  an 
AP-simulation  map  q=  :  — »  J?l/=,  which  we  call  the  quotient  abstraction  defined  by  =. 
Hence,  an  equivalent  presentation  of  the  minimal  system  is  expressed  by  the  following. 

Proposition  2.  Let  Ai  =  (M,  — Lm)  be  a  Kripke  structure  and  h  :  M  — »  A  a  surjective  function. 
Then,  there  exists  a  bijective  bisimulation  map  between  the  Kripke  structures  Ailfm  and  A !/=;„  where 
by  definition  x  =/,  y  iff  h(x)  =  h(y). 

Proof.  Define  /  :  Ai'Tn  — »  Ai/=u  by  /(7?(x))  =  [x];  by  definition  of  s;„  and  since  h  is  surjective, 
/  is  a  well-defined  bijective  function.  We  need  to  check  that  both  /  and  /-1([x])  =  h(x)  are 
strict  simulations. 

If  fl  b,  then  there  exist  x  and  y  in  AI  such  that  h(x)  =  a,  h(y)  =  b,  and  x  — y ,  and 

therefore  /(fl)  =  [x]  ~^>Ml=h  [y]  =  f(b )■  Similarly,  if  [x]  — [y],  then  there  exists  x'  such  that 
h(x)  =  h(x'),  and  y'  such  that  h(y)  =  h(y'),  with  x'  y' ,  and  hence  /“ 1([x])  =  h(x')  —*Mh 

min 

%')  =  /“%])• 

Finally,  p  £  L^/=;i([x])  iff  p  £  Lx(x')  for  all  x'  with  h(x')  =  h(x),  iff  p  £  Lmi,  (h(x)),  and 
therefore  /  and  /-1  are  strict.  □ 

That  is,  we  can  perform  the  abstraction  either  by  mapping  the  concrete  states  to  an  abstract 
domain  or,  as  we  will  do  in  Section  5,  by  identifying  some  states  and  thereafter  working  with 
the  corresponding  equivalence  classes. 

The  use  of  the  adjective  "minimal"  is  appropriate  since,  as  pointed  out  in  [9],  Ai’fm  is 
the  most  accurate  approximation  to  AI  that  is  consistent  with  h.  However,  it  is  not  always 
possible  to  have  a  computable  description  of  Af  hn.  The  definition  of  — carl  be  rephrased 
as  x  — >Mi,  y  iff  there  exist  a  and  b  such  that  h(a)  =  x,  h(b)  =  y,  and  a  — b.  This  relation,  even 
if  —*m  is  recursive,  is  in  general  only  recursively  enumerable.  However,  Section  5  develops 
equational  methods  that,  when  successful,  yield  a  computable  description  of  A/ijn . 

4  Rewriting  Logic  Specifications  and  Model  Checking 

One  can  distinguish  two  specification  levels:  a  system  specification  level,  in  which  the  compu¬ 
tational  system  of  interest  is  specified,  and  a  property  specification  level,  in  which  the  relevant 
properties  are  specified.  The  main  interest  of  rewriting  logic  [33]  is  that  it  provides  a  very 
flexible  framework  for  the  system-level  specification  of  concurrent  systems.  Rewriting  logic 
is  parameterized  by  an  underlying  equational  logic.  In  this  paper  we  will  use  membership 
equational  logic,  whose  main  characteristics  we  now  review. 
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4.1  Membership  Equational  Logic 

Membership  equational  logic  is  an  expressive  version  of  equational  logic.  A  full  account  of 
its  syntax  and  semantics  can  be  found  in  [5, 34];  here  we  define  the  basic  notions  needed 
in  this  paper.  The  logic's  expressiveness  is  due  to  its  rich  type  structure,  that  supports 
sorts,  subsorts,  and  operator  overloading,  and  also  errors  and  partiality  through  kinds  and 
conditional  membership  axioms. 

A  signature  in  membership  equational  logic  is  a  triple  ( K,E,S )  (just  b  in  the  following), 
with  K  a  set  of  kinds,  E  =  ...kn/k)eK-xK  a  many-kinded  signature,  and  S  =  [Sk}keK  a 

pairwise  disjoint  fC-kinded  family  of  sets  of  sorts.  The  kind  of  a  sort  s  is  denoted  by  [s].  We 
write  Tvy  and  T vy(x)  to  denote  respectively  the  set  of  ground  b- terms  with  kind  k  and  of 
b-terms  with  kind  k  over  variables  in  x,  where  x  =  {x\  :  k\, ...  ,xn  :  /c„]  is  a  set  of  fC-kinded 
variables.  Sometimes  we  use  the  notation  t(x)  to  make  explicit  the  set  of  variables  that  appear 
in  the  term  t. 

The  atomic  formulas  of  membership  equational  logic  are  either  equations  t  =  t' ,  where  f 
and  t'  are  terms  of  the  same  kind,  or  membership  assertions  of  the  form  t  :  s,  where  the  term  t 
has  kind  k  and  s  £  S/c.  Sentences  are  Horn  clauses  on  these  atomic  formulas,  i.e.,  sentences  of 
the  form 

(Vi)  A0  if  A\  A  . . .  A  An , 

where  each  A,  is  either  an  equation  or  a  membership  assertion,  and  x  is  a  set  of  fC-kinded 
variables.  In  membership  equational  logic,  subsort  relations  and  operator  overloading  are 
just  a  convenient  way  of  writing  corresponding  Horn  clauses.  For  example,  assuming  that 
Nat  and  Int  are  sorts  of  the  same  kind  and  that  we  have  an  operator  :  [Int]  [Int]  — »  [f/if]  in 
b,  then  the  subsort  relation  Nat  <  Int  is  convenient  notation  for  the  conditional  membership 
(Vx  :  [Int])  x  :  Int  if  x  :  Nat,  and  the  overloaded  operator  declarations 

_  +  _  :  Nat  Nat  — >  Nat  _  +  _ :  Int  Int  — *  Int 

are  logically  equivalent  to 

(Vx  :  [Int],  y  :  [Int])  x  +  y  :  Nat  if  x  :  Nat  A  y  :  Nat 
(Vx  :  [Int],  y  :  [Int])  x  +  y  :  Int  if  x  :  Int  A  y  :  Int . 

A  theory  in  membership  equational  logic  is  a  pair  (b,  E),  where  £  is  a  finite  set  of  sentences 
in  membership  equational  logic  over  the  signature  b.  We  write  (b,  E)  t-  <p,  or  just  £  h  (p  if  b  is 
clear  from  the  context,  to  denote  that  (b,  E)  entails  the  sentence  <p  using  the  rules  in  Figure  1. 
The  basic  intuition  is  that  correct  or  well-behaved  terms  are  those  that  can  be  proved  to  have 
a  sort,  whereas  error  or  undefined  terms  are  terms  that  have  a  kind  but  do  not  have  a  sort.  For 
example,  assuming  difference  _  -  _  and  integer  division  _/_  operators  with  the  appropriate 
declarations,  3  +  2  :  Nat  and  3  -  4  :  Int,  but  7/0  is  a  term  of  kind  [Int]  with  no  sort. 

A  E-algebra  A  consists  of  a  set  for  each  k  e  K,  a  function  Af  :  Ay  X . . .  X Ay  — >  Ak  for  each 

operator  /  e  by  yy,  and  a  subset  As  c  At  for  each  sort  s  e  St-  An  algebra  A  and  a  valuation  o, 
assigning  to  each  variable  x  :  k  in  x  a  value  in  At,  satisfy  an  equation  (Vx)  t  =  t'  iff  o(t)  =  a{t'), 
where  we  use  the  same  notation  o  for  the  valuation  and  its  homomorphic  extension  to  terms. 
We  write  A,  a  [=  (Vx)  t  =  f  to  denote  such  a  satisfaction.  Similarly,  A,  a  |=  (Vx)  t  :  s  holds 
iff  o(t)  e  As.  We  write  A  \=  <p  when  the  formula  a  is  satisfied  for  all  valuations  o,  and  then 
say  that  A  is  a  model  of  (p .  As  usual,  we  write  (b,  E)  \=  (p  when  all  the  models  of  the  set 
£  of  sentences  are  also  models  of  cp.  The  rules  in  Figure  1  specify  a  sound  and  complete 
calculus  [34],  that  is,  we  have  the  equivalence  (b,  E)  I -  (p  <=>  (b,  E)  {=  <p- 

A  theory  (b,  £)  in  membership  equational  logic  has  an  initial  model  [34],  denoted  by  Tv/e, 
whose  elements  are  equivalence  classes  [f]/  of  ground  terms.  In  the  initial  model,  sorts  are 
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Fig.  1.  Deduction  rules  for  membership  equational  logic. 


interpreted  as  the  smallest  sets  satisfying  the  axioms  in  the  theory,  and  equality  is  interpreted 
as  the  smallest  congruence  satisfying  those  axioms.  We  write  E  I -;„rf  <p  when  (p  holds  in  the 
initial  model  of  E. 

4.2  Rewriting  Logic 

Concurrent  systems  are  axiomatized  in  rewriting  logic  by  means  of  rewrite  theories  [33]  of  the 
form  R  =  (E,  E,  R).  The  set  of  states  is  described  by  a  membership  equational  theory  (E,  E)  as 
the  algebraic  data  type  Tv/E  k  associated  to  the  initial  algebra  Tv//;  of  (E,  E)  by  the  choice  of  a 
kind  k  of  states  in  E.  The  system's  transitions  are  axiomatized  by  the  conditional  rewrite  rules 
R  which  are  of  the  form 

A  :  (Vf)  t  — >  t'  if  /\  pi  =cji ■  A  l\  w  j  :SjA/\ti  — >  t\ , 

iel  jej  leL 

with  A  a  label,  p,  =  q,  and  Wj  :  sy  atomic  formulas  in  membership  equational  logic  for  i  e  I  and 
j  e  /,  and  for  appropriate  kinds  k  and  kj,  t,  t'  e  Tv ,k(x),  and  f/,  e  T^  ^x)  for  /  e  L.  Throughout 
this  paper  we  assume  that  vars(t')  U  vars(cond)  c  vars(t);  this  could  be  relaxed  to  allow  extra 
variables  in  the  condition  and  in  t' ,  provided  they  are  added  incrementally  by  "matching 
equations"  in  cond  as  explained  in  [11,12].  Under  reasonable  assumptions  about  £  and  R, 
rewrite  theories  are  executable  (more  on  this  below).  Indeed,  there  are  several  rewriting  logic 
language  implementations,  including  CafeOBJ  [23],  ELAN  [4],  and  Maude  [11, 12]. 

We  can  illustrate  rewriting  logic  specifications  by  means  of  an  example,  namely  a  simpli¬ 
fied  version  of  Lamport's  bakery  protocol  [28].  This  is  an  infinite  state  protocol  that  achieves 
mutual  exclusion  between  processes  by  dispensing  a  number  to  each  process  and  serving 
them  in  sequential  order  according  to  the  number  they  hold.  A  simple  Maude  specification 
for  the  case  of  two  processes  and  atomic  transitions  is  as  follows: 

mod  BAKERY  is 
protecting  NAT  . 
sorts  Mode  BState  . 

ops  sleep  wait  crit  :  ->  Mode  [ctor]  . 

op  :  Mode  Nat  Mode  Nat  ->  BState  [ctor]  . 

op  initial  :  ->  BState  . 

vars  P  Q  :  Mode  . 

vars  X  Y  :  Nat  . 
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eq  initial  =  <  sleep,  0,  sleep,  0  >  . 

rl  [pl_sleep]  :  <  sleep,  X,  Q,  Y  >  =>  <  wait,  s  Y,  Q,  Y  >  . 

rl  [pl_wait]  :  <  wait,  X,  Q,  0  >  =>  <  crit,  X,  Q,  0  >  . 

crl  [pl_wait]  :  <  wait,  X,  Q,  Y  >  =>  <  crit,  X,  Q,  Y  >  if  not  (Y  <  X)  . 
rl  [pl_crit]  :  <  crit,  X,  Q,  Y  >  =>  <  sleep,  0,  Q,  Y  >  . 
rl  [p2_sleep]  :  <  P,  X,  sleep,  Y  >  =>  <  P,  X,  wait,  s  X  >  . 

rl  [p2_wait]  :  <  P,  0,  wait,  Y  >  =>  <  P,  0,  crit,  Y  >  . 

crl  [p2_wait]  :  <  P,  X,  wait,  Y  >  =>  <  P,  X,  crit,  Y  >  if  Y  <  X  . 
rl  [p2_crit]  :  <  P,  X,  crit,  Y  >  =>  <  P,  X,  sleep,  0  >  . 
endm 

This  specification  corresponds  to  a  rewrite  theory  R  =  (. E,E,R),  where  (E,E)  imports 
the  equational  theory  NAT  of  the  natural  numbers  and  where  E  has  additional  sorts  Mode 
and  BState,  with  Mode  consisting  of  just  the  constants  sleep,  wait,  and  crit.  States  are 
represented  by  terms  of  sort  BState,  which  are  constructed  by  a  4-tuple  operator 
the  first  two  components  describe  the  status  of  the  first  process  (the  mode  it  is  currently  in, 
and  its  priority  as  given  by  the  number  according  to  which  it  will  be  served)  and  the  last 
two  the  status  of  the  second  process.  E  consists  of  just  the  equations  imported  from  NAT,  plus 
the  above  equation  defining  the  initial  state.  R  consists  of  eight  rewrite  rules,  four  for  each 
process.  These  rules  describe  how  each  process  passes  from  being  sleeping  to  waiting,  from 
waiting  to  its  critical  section,  and  then  back  to  sleeping.  In  this  case,  the  chosen  kind  k  for 
states  is  of  course  the  kind  [BState]  associated  with  the  sort  BState.  Note  that  in  Maude 
each  entity  in  (E,  E,  R)  is  introduced  by  a  corresponding  keyword,  such  as  sorts  for  sorts,  op 
for  an  operator,  eq  (resp.  ceq)  for  equations  (resp.  conditional  equations),  and  rl  (resp.  crl) 
for  rules  (resp.  conditional  rules)  that  optionally  can  be  labeled. 

Rewriting  logic  then  has  the  inference  rules  in  Figure  2  to  infer  all  the  possible  concurrent 
computations  in  a  system  [33, 7],  in  the  sense  that,  given  two  states  [u],  [zz]  e  Tz/Efa  we  can 
reach  [zz]  from  [zz]  by  some  possibly  complex  concurrent  computation  iff  we  can  prove  zz  — »  v 
in  the  logic;  we  denote  this  provability  by  R  h  zz  — »  v.  In  particular  we  can  easily  define  the 
one-step  R-rezvriting  relation,  which  is  a  binary  relation  — k  on  Tz,k  that  holds  between  terms 
u,v  E  Tvfr  iff  there  is  a  one-step  proof  of  n  — >  zz.  More  precisely,  u  ~*}Rk  v  if  either  there  is 
a  derivation  of  u  — *  v  whose  last  rule  is  (Replacement),  or  (Equality)  applied  to  a  pair  of 
terms  already  in  the  relation,  or  if,  for  some  /  E  E^.^k,  u  =  f{h,  ■■■ An )  and  v  =  f(t'v ... ,  t'n), 
and  there  exists  i  such  that  f,  — f'  and  f  ,  =  f'.  for  all  /  +  i.  (Transitivity)  is  thus  allowed,  but 
only  to  solve  the  conditions  that  may  arise  in  (Replacement).  We  can  get  a  binary  relation 
(with  the  same  name)  ~*]<k  on  Tz/eJc  by  defining  [u\  ~^}R  k  [zz]  iff  zz'  ~>}Rk  v'  for  some  u'  E  [u\, 
zz'  E  [zz].  This  then  makes  unnecessary  the  (Equality)  rule,  because  [zz]  ~^>R  j;  [zz]  is  defined  at 
the  level  of  £-equivalence  classes. 

The  relationship  with  Kripke  structures  is  now  almost  obvious:  we  can  associate  to  a 
concurrent  system  axiomatized  by  a  rewrite  theory  R  =  (E,  E,  R)  with  a  chosen  kind  k  of 
states  a  Kripke  structure 

'K{R,  k)n  =  (Tz/E,k,  ,  En) . 

We  say  "almost  obvious,"  because  nothing  has  yet  been  said  about  the  choice  of  state  pred¬ 
icates  FI  and  the  associated  labeling  function  L//.  The  reason  for  this  is  methodological:  f7, 
Lfi,  and  the  LTL  formulas  <p  describing  properties  of  the  system  specified  by  R  belong  to  the 
property  specification  level.  Indeed,  for  the  same  system  specification  R  we  may  come  up  with 
different  predicates  77,  labeling  functions  Ln,  and  properties  (p,  depending  on  the  properties 
of  interest. 
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Fig.  2.  Deduction  rules  for  rewrite  theories. 


The  question  of  when  a  rewrite  theory  R  is  executable  is  closely  related  with  wanting  T}_/E,k 
to  be  a  computable  set,  and  >^kY  to  be  a  computable  relation  in  the  above  Kripke  structure 
lK(R,k)u,  an  obvious  precondition  for  any  model  checking.  We  say  that  R  =  (E,  E  U  A,R)  is 
executable  if: 

1.  there  exists  a  matching  algorithm  modulo  the  equational  axioms  A;4 

2.  the  equational  theory  (E,E  U  A)  is  (ground)  Church-Rosser  and  terminating  modulo  A  [18]; 
and 

3.  the  rules  R  are  (ground)  coherent  [40]  relative  to  the  equations  E  modulo  A. 

Conditions  1  and  2  ensure  that  T^/ EuA,k  is  a  computable  set,  since  each  ground  term  t  can  be 
simplified  by  applying  the  equations  E  from  left  to  right  modulo  A  to  reach  a  canonical  form 
canE/A(t)  which  is  unique  modulo  the  axioms  A.  We  can  then  reduce  the  equality  problem 
[u]eua  =  [v]eua  to  the  decidable  equality  problem  [canE/A(u)]A  =  [canE/A(v)]A- 

Condition  3  means  that  for  each  ground  term  f,  whenever  we  have  t  — »  we  can 
always  find  canE/A(t)  v  such  that  [canE/A(u)]A  =  [canE/A(v)]A-  This  implies  that  (— is  a 

computable  binary  relation  on  Ty/EUArk,  since  we  can  decide  [t]EjA  — [w]eua  by  enumerating 
the  finite  set  of  all  one-step  ^-rewrites  modulo  A  of  canE/A(t)r  and  for  any  such  rewrite,  say 
v,  we  can  decide  [canE/A(u)]A  =  [canE/A(v)]A. 

Coherence  can  be  checked  by  critical-pair-like  techniques  similar  to  those  used  for  check¬ 
ing  equational  confluence  and  performing  Knuth-Bendix  completion;  the  general  theory  is 
developed  in  [40].  Intuitively,  the  idea  is  to  first  establish  that  £  is  Church-Rosser  and  termi¬ 
nating  modulo  A,  and  then  check  the  coherence  of  "relative  critical  pairs"  (that  is,  overlaps 
on  nonvariable  subterms  obtained  by  unification)  between  the  equations  £  and  the  rules  R 
modulo  the  axioms  A;  see  Section  7  for  examples. 

4.3  LTL  Properties  of  Rewrite  Theories  and  Model  Checking 

One  appealing  feature  of  rewriting  logic  is  that  it  provides  a  seamless  integration  of  the 
system  specification  level  and  the  property  specification  level,  because  we  can  specify  the 

4  In  the  rewriting  logic  language  Maude,  the  axioms  A  for  which  the  rewrite  engine  supports  matching 
modulo  are  any  combination  of  associativity,  commutativity,  and  identity  axioms  for  different  binary 
operators. 


8 


relevant  state  predicates  77  equationally ,  and  this  then  determines  the  labeling  function  Ln  and 
the  semantics  of  the  LTL  formulas  <p  in  a  unique  way.  Indeed,  to  associate  LTL  properties  to  a 
rewrite  theory  R  =  (E,  E  U  A,  R)  with  a  chosen  kind  k  of  states  we  only  need  to  make  explicit 
the  relevant  state  predicates  77,  which  need  not  be  part  of  the  system  specification  R.  The  state 
predicates  77  can  be  defined  by  means  of  equations  D  in  an  equational  theory  ( E',  E  U  A  U  D) 
that  protects  (E,  E  U  A);  specifically,  the  unique  .E-homomorphism  T^/eua  — >  Tl'/euaud  induced 
by  the  theory  inclusion  (E,  E  U  A)  c  (E',  E  U  A  U  D)  should  be  bijective  at  each  sort  s  in  E. 

The  syntax  defining  the  state  predicates  consists  of  a  subsignature  77  c  E'  of  operators  p 
of  the  general  form  p  :  Si . . .  sn  — »  Prop  (with  Prop  the  sort  of  propositions),  reflecting  the  fact 
that  state  predicates  can  be  parametric.  The  semantics  of  the  state  predicates  El  is  defined  by 
D  with  the  help  of  an  operator  _  [=  _  :  k  [Prop]  — »  [Bool]  in  E' .  By  definition,  given  ground 
terms  U\, . ..,  un,  we  say  that  the  state  predicate  p(»i, . . . ,  u„ )  holds  in  the  state  [f]  iff 


£  U  A  U  D  hi„d  1 1=  p(ui,  ■■■,  u„)  =  true . 


We  can  now  associate  to  R  a  Kripke  structure  rK(R,k)n,  whose  atomic  predicates  are 
specified  by  the  set  APn  =  { 6(p)  \  p  e  77, 6  ground  substitution}.5 

Definitions.  The  Kripke  structure  associated  to  a  rewrite  theory  R  is  given  by  ,K(R,k)n  = 
where 


Ln([t])  =  {6(p)  e  APn  I  0(p)  holds  in  [t]} . 

In  practice  we  want  the  equality  t  |=  p(u\, ...,u„)  =  true  to  be  decidable.  This  can  be 
achieved  by  giving  equations  in  £  U  D  that  are  Church-Rosser  and  terminating  modulo  A. 
Then,  if  we  begin  with  an  executable  rewrite  theory  R  and  define  decidable  state  predicates 
77  by  the  method  just  described,  we  obtain  a  computable  Kripke  structure  (K({R/l()n  which,  if 
it  has  finite  sets  of  reachable  states,  can  be  used  for  model  checking. 

Since  its  2.0  version,  the  Maude  system  has  an  on-the-fly,  explicit-state  LTL  model  checker 
[22]  which  supports  the  methodology  just  mentioned.  Given  an  executable  rewrite  theory 
specified  in  Maude  by  a  module  M,  and  an  initial  state,  say  initial  of  sort  State^,  we  can 
model  check  different  LTL  properties  beginning  at  this  state.  For  that,  a  new  module  M-PREDS 
must  be  defined  importing  both  M  and  the  predefined  module  SATISFACTION,  and  a  subsort 
declaration  State^  <  State  must  be  added  (this  declaration  can  be  omitted  if  State  = 
State^).  Then,  the  syntax  of  the  state  predicates  must  be  declared  by  means  of  operators  of 
sort  Prop  and  their  semantics  must  be  given  by  equations  involving  the  satisfaction  operator 
op  _|=_  :  [State]  [Prop]  ->  [Bool] .  Once  the  semantics  of  the  state  predicates  has  been 
defined,  and  assuming  that  the  set  of  states  reachable  from  initial  is  finite,  we  define  a  new 
module  M-CHECK  that  imports  both  M-PREDS  and  the  predefined  module  MODEL -CHECKER;  then 
we  can  model  check  any  LTL  formula  in  lk\  T(APn)  by  giving  to  Maude  the  command: 

reduce  modelCheck(initial ,  formula)  . 

Continuing  with  our  bakery  protocol  example,  two  basic  properties  that  we  may  wish  to 
verify  are: 

1.  mutual  exclusion:  the  two  processes  are  never  simultaneously  in  their  critical  section;  and 

2.  liveness:  any  process  in  waiting  mode  will  eventually  enter  its  critical  section. 

In  order  to  specify  these  properties  it  is  enough  to  specify  in  Maude  the  following  set  77  of 
state  predicates: 

5  By  convention,  if  p  has  n  parameters,  0{p)  denotes  the  term  6(p(x . . .  ,xn)). 
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mod  BAKERY-PREDS  is 
protecting  BAKERY  . 
including  SATISFACTION  . 
subsort  BState  <  State  . 

ops  lwait  2wait  lcrit  2crit  :  ->  Prop  [ctor]  . 
vars  P  Q  :  Mode  . 
vars  X  Y  :  Nat  . 

eq  <  wait,  X,  Q,  Y  >  |=  lwait  =  true  . 
eq  <  sleep,  X,  Q,  Y  >  |=  lwait  =  false  . 
eq  <  crit,  X,  Q,  Y  >  |=  lwait  =  false  . 
eq  <  P  ,  X,  wait,  Y  >  |=  2wait  =  true  . 

eq  <  P  ,  X,  sleep,  Y  >  |=  2wait  =  false  . 

eq  <  P  ,  X,  crit,  Y  >  |=  2wait  =  false  . 

eq  <  crit  ,  X,  Q,  Y  >  |=  lcrit  =  true  . 

eq  <  sleep,  X,  Q,  Y  >  |=  lcrit  =  false  . 

eq  <  wait,  X,  Q,  Y  >  |=  lcrit  =  false  . 
eq  <  P  ,  X,  crit,  Y  >  |=  2crit  =  true  . 
eq  <  P  ,  X,  sleep,  Y  >  |=  2crit  =  false  . 
eq  <  P  ,  X,  wait,  Y  >  |=  2crit  =  false  . 
endm 

Mutual  exclusion  is  then  expressed  by  the  formula  []" (lcrit  /\  2crit),  and  liveness 
by  (lwait  | ->  lcrit)  /\  (2wait  | ->  2crit),  where  and  | ->  are  respectively  the 

symbols  used  by  the  model  checker  to  represent  □,  and 

Since  the  set  of  states  reachable  from  initial  (defined  in  the  BAKERY  module)  is  infinite, 
we  should  not  model  check  the  above  specification  as  given.  Instead,  we  should  first  define 
an  abstraction  of  it  where  initial  has  only  finitely  many  reachable  states  and  then  model 
check  the  abstraction. 

5  Equational  Abstractions 

Let  R  =  (E,  E  U  A,  R)  be  a  rewrite  theory.  A  quite  general  method  for  defining  abstractions  of 
the  Kripke  structure  <K(R,k)n  =  (7i;/EuA,Jt/(— ^)*/k/7)  is  by  specifying  an  equational  theory 
extension  of  the  form 

(L,EuA)  c  (L,EuAuE'). 

Since  this  defines  an  equivalence  relation  =p  on  Tr/Eu^,  namely, 

[t]EUA  =E’  [t'huA  <=>  fUAuF  ht  =  t'  <=^>  [t]EuAuE-  =  [t'huAuE’, 

we  can  obviously  define  our  quotient  abstraction  as  (K(fR,ki)nl=E'-  We  call  this  the  equational 
quotient  abstraction  of  'K(R,k)n  defined  by  £'. 

But  can  <K(R,k)n/=E',  which  we  have  just  defined  in  terms  of  the  underlying  Kripke 
structure  'K (R,  k)n,  be  understood  as  the  Kripke  structure  associated  to  another  rewrite  theory? 
Let  us  take  a  closer  look  at 

'K(R,  k)n/=E'  =  {TziEuA,k/=E',(-^K/ky/=E'rLn/=P)- 

The  first  observation  is  that,  by  definition,  we  have  Tl/eua^I-E'  —  ^ E/EuAuE' ,k-  A  second 
observation  is  that  if  R  is  k-deadlock  free,  that  is,  if  we  have  (— s >Rk)'  =  — k,  then  the  rewrite 
theory  R/E'  =  (E,  E  U  A  U  £',  R)  is  also  ^-deadlock  free  and  we  have,  under  some  mild 
requirements  (see  Lemma  2  later): 

E',;t)  =  ~^KIE',k  =  /=E'- 
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Therefore,  for  R  ^-deadlock  free,  our  obvious  candidate  for  a  rewrite  theory  having 
lK{R,k)ul=E'  as  its  underlying  Kripke  structure  is  the  rewrite  theory  R/E'  =  (E,EUAU  £',  R). 
That  is,  we  just  add  to  R  the  equations  £'  and  do  not  change  at  all  the  rules  R. 

How  restrictive  is  the  requirement  that  R  is  ^-deadlock  free?  There  is  no  essential  loss  of 
generality:  in  Section  6  we  show  how  we  can  always  associate  to  an  executable  rewrite  theory 
R  with  no  rewrites  appearing  in  the  conditions  of  its  rules  a  semantically  equivalent  (from 
the  LTL  point  of  view)  theory  Rdf  which  is  both  deadlock  free  and  executable.  All  theories 
we  have  come  across  for  our  case  studies  satisfy  that  requirement. 

In  this  way,  at  a  purely  mathematical  level,  R/E'  seems  to  be  what  we  want.  Assuming 
that  we  have  an  A-matching  algorithm,  two  problems  may  arise  from  the  following  two 
executability  questions  about  R/E',  which  are  essential  for  (K(R,k)n/=E '  to  be  computable  and 
therefore  for  model  checking: 

-  Are  the  equations  E  U  £'  ground  Church-Rosser  and  terminating  modulo  A? 

-  Are  the  rules  R  ground  coherent  relative  to  £  U  £'  modulo  A? 

The  answer  to  each  of  these  questions  may  be  affirmative  or  negative.  In  practice,  sufficient 
care  on  the  part  of  the  user  when  specifying  £'  should  result  in  an  affirmative  answer  to  the 
first  question.  In  any  case,  we  can  always  try  to  check  such  a  property  with  a  tool  such  as 
Maude's  Church-Rosser  checker  [19];  if  the  check  fails,  we  can  try  to  complete  the  equations 
with  a  Rnuth-Bendix  completion  tool,  for  example  [15],  to  get  a  theory  (E,  E"  U  A)  equivalent 
to  (E,  E  U  A  U  £')  for  which  the  first  question  has  an  affirmative  answer.  Likewise,  we  can 
try  to  check  whether  the  rules  R  are  ground  coherent  relative  to  £  U  £'  (or  to  E")  modulo 
A  using  the  tool  described  in  [20].  If  the  check  fails,  we  can  again  try  to  complete  the  rules 
R  to  a  semantically  equivalent  set  of  rules  R' ,  using  also  that  tool  [20].  By  this  process  we 
can  hopefully  arrive  at  an  executable  rewrite  theory  R'  =  (E,  E"  U  A,R')  which  is  semantically 
equivalent  to  R/E'.  We  can  then  use  R!  to  try  to  model  check  properties  about  R. 

But  we  are  not  finished  yet.  What  about  the  state  predicates  ft?  Recall  (see  Section  4.3)  that 
these  (possibly  parameterized)  state  predicates  will  have  been  defined  by  means  of  equations 
D  in  a  Maude  module  importing  the  specification  of  R  and  also  the  module  SATISFACTION. 
The  question  is  whether  the  state  predicates  77  are  preserved  under  the  equations  £'.  This 
indeed  may  be  a  problem.  We  need  to  unpack  a  little  the  definition  of  the  labeling  function 
Ln/=E, ,  which  is  defined  by  the  intersection  formula 

kn/=E,([thuAuE’)  =  |^|  EeKMeua)- 

MeuaCMeUAUE' 

In  general,  computing  such  an  intersection  and  coming  up  with  new  equational  defini¬ 
tions  D'  capturing  the  new  labeling  function  Ln/=E,  may  not  be  easy.  It  becomes  much  easier 
if  the  state  predicates  ft  are  preserved  under  the  equations  £'.  By  definition,  we  say  that  the 
state  predicates  ft  are  preserved  under  the  equations  £'  if  for  any  [f]euA/  [E]eua  £  Te/eu A,k  we 
have  the  implication 

MeuAUE'  =  [t'huAUE'  =>  £/7([1]eua)  =  f  n([f,]EUA)- 

Note  that  in  this  case,  assuming  that  the  equations  £  U  £'  U  D  (or  E"  U  D)  are  ground  Church- 
Rosser  and  terminating  modulo  A,  we  do  not  need  to  change  the  equations  D  to  define  the  state 
predicates  ft  on  R/E'  (or  its  semantically  equivalent  R').  Therefore,  we  have  an  isomorphism 
(given  by  a  pair  of  invertible  bisimulation  maps) 


%{R,k)n/=E,  =%{R/E'  ,k)n, 
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or,  in  case  we  need  the  semantically  equivalent  R! ,  an  isomorphism 


<K{R,k)nl=E’  =  K(R',k)n. 

The  crucial  point  in  both  isomorphisms  is  that  the  labeling  function  of  the  righthand  side 
Kripke  structure  is  now  equationally  defined  by  the  same  equations  D  as  before.  Since  by 
construction  either  R/E'  or  R'  are  executable  theories,  for  an  initial  state  [fku/tu/-;'  having 
a  finite  set  of  reachable  states  we  can  use  the  Maude  model  checker  to  model  check  any 
LTL  formula  in  this  equational  quotient  abstraction.  Furthermore,  since  the  quotient  APu- 
simulation  map 

X(R,k)n  — >  n<(RIE',k)n 

is  then  by  construction  strict,  by  Theorem  1  it  reflects  satisfaction  of  arbitrary  LTL  formulas. 
(Indeed,  also  of  arbitrary  ACTL*  formulas.) 

A  practical  problem  remains:  how  can  we  actually  try  to  prove  the  implication 

[thuAUE'  =  [t'huAUE'  =>  k/7([f]EU/0  =  Ln([t']EUA) 

to  show  the  desired  preservation  of  state  predicates?  A  first  result  in  solving  that  problem  is 
the  following,  where  BOOL  is  the  predefined  theory  of  Boolean  values. 

Theorem  2.  Let  R  =  (E,  E  U  A,  R)  be  a  k-deadlock  free  rewrite  theory  and  let  D  be  equations 
defining  (possibly  parametric)  state  predicates  nfidly  defined  for  all  states  of  kind  k  as  either  true  or 
false,  and  assume  that  ( E',E  U  A  U  D)  protects  BOOL.  Let  then  £'  be  a  set  of  E-equations  such  that 
(E',  E  U  A  U  £'  U  D)  also  protects  BOOL.  Then,  the  state  predicates  FI  are  preserved  under  £'. 

Proof.  We  have  to  check  that  =p  is  label-preserving,  which  is  equivalent  to  proving  the 
following  equivalences  for  each  pen  and  ground  substitution  6: 

E  U  A  U  D  1 1=  6(p)  =  true  <=>  £  U  A  U  £'  U  D  (- t  \=  Q(p)  =  true 

£  U  A  U  D  t-jntj  1 1=  6(p)  =  false  «=>  EUdUE'UD  t  |=  9(p)  =  false 

The  implications  from  left  to  right  follow  by  monotonicity  of  equational  reasoning.  The 
converse  implications  follow  from  the  protecting  BOOL  assumption,  since  we  can  reason  by 
contradiction.  Suppose,  for  example,  that  £  U  A  U  £'  U  D  1 1=  9(p)  =  true  but  £  U  A  U  D 
1 |=  9(p)  =  true;  by  the  protecting  BOOL  assumption  this  forces  EUhUD  t  \=  9(p)  =  false, 
which  implies  £  U  A  U  £'  U  D  t  |=  9(p)  =  false,  contradicting  the  protection  of  BOOL.  □ 

The  fact  that  BOOL  is  protected  can  be  automatically  checked  with  the  sufficient  complete¬ 
ness  checker  (SCC)  for  Maude  [25].  This  tool  accepts  a  module  as  input  and  checks  whether 
it  is  sufficiently  complete,  in  the  intuitive  sense  that  enough  equations  are  specified  so  that 
every  term  can  be  reduced  to  a  canonical  form  in  which  only  constructor  operators  are  used; 
for  BOOL,  these  constructors  are  true  and  false.  The  SCC  tool  assumes  that  the  specification 
is  terminating  and  confluent,  which  can  also  be  proved  automatically  with  tools  like  the 
Church-Rosser  Checker  (CRC)  [19]  and  Maude  Termination  Tool  (MTT)  [21]  if  all  equations 
are  unconditional;  otherwise,  conditional  critical  pairs  appear  that  complicate  the  proof.  So 
Theorem  2  is  especially  useful  in  the  unconditional  case.  We  show  an  example  of  its  applica¬ 
tion  in  Section  7.2;  [12,  Chapter  13]  contains  an  abstraction  for  the  bakery  protocol  different 
from  the  one  discussed  in  Section  7.1,  which  can  be  proved  correct  with  this  theorem. 

We  now  present  a  more  general  and  powerful  condition  to  prove  preservation  of  predi¬ 
cates.  A  signature  E  is  k-encapsidated  if  the  kind  k  only  appears  as  the  codomain  of  a  single 
operator  /  :k\...kn  — »  k,  and  does  not  appear  as  an  argument  in  any  operator  in  E.  Then, 
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a  particularly  easy  case  for  proving  the  preservation  of  predicates  is  that  of  k-encapsulated 
rewrite  theories,  for  k  the  kind  of  states.  This  condition  is  very  mild,  since  any  rewrite  theory 
R  can  be  transformed  into  a  semantically  equivalent  k' -encapsulated  one  by  enclosing  the 
original  states  in  the  kind  k  into  new  states  in  a  kind  k'  through  an  operator  {_}  :  k  — »  k' ,  as 
made  precise  by  the  following  lemma. 

Lemma  1.  Given  a  reivrite  theory  R  =  (E,  E,  R)  and  a  kind  k  e  E,  define  the  rewrite  theory  R!  = 
(E',E,R)  with  E’  extending  E  with  a  new  kind  k'  and  an  operator  {_}  :  k  — »  k'.  R!  so  defined  is 
k' -encapsidated. 

Furthermore,  if  El  is  a  set  of  state  predicates  for  R  defined  by  a  set  of  equations  D,  define  state 
predicates  El  for  R'  by  transforming  each  equation6  (t  |=  p)  =  b  if  C  in  D  into  ({f}  |=  p)  =  b  if  C. 
Then,  the  function  h  :  Tr,/Ek,  — >  Tr,/Ek  given  by  }]e)  =  [f]e  defines  a  bijective  bisimulation 
<K(R,k)n  =  K(R',k')n. 

Proof.  Since  no  new  rules  or  equations  are  added  to  R! ,  it  is  immediate  that  {f}  — k,  { t'} 
iff  t  — k  t' .  But  then,  since  h  maps  the  term  {f}  to  t,  we  have  that  the  transition  relation 
is  preserved  in  both  directions.  As  for  the  state  predicates,  by  the  transformation  applied 
to  the  equations  in  D  and,  again,  since  no  new  equations  have  been  added  to  R! ,  we  have 
Ln({t})  =  k 77(f),  and  the  result  follows.  □ 


Besides  being  useful  for  the  study  of  preservation  of  properties,  encapsulation  offers  a 
way  to  tackle  the  deadlock  freedom  of  theories. 


Lemma  2.  Suppose  that  R  =  (E,E  U  A,R )  is  a  k-encapsulated  rewrite  theory  and  that  E'  is  a  set  of 
equations  of  the  form  t  =  t'  if  C,  with  t,  t'  e  TE:k(x).  Then,  ifR  is  k- deadlock free  and  no  terms  of  kind 
k  appear  in  the  conditions  of  the  rewrite  rides  in  R,  the  rewrite  theory  R/E1  =  (E,E  U  A  U  E',R)  is 
also  k-deadlock  free  and  we  have 

.1  _  .1  /= 

K/E’je  ~  R,k' 1  ~E'  ■ 


for  all  kinds  k'  in  E. 


Proof.  It  is  clear  that  R/E'  is  k-deadlock  free  because  every  rewrite  in  R  is  also  a  rewrite  in 
R/E'.  For  the  same  reason,  the  second  relation  is  included  in  the  first  one.  Now,  assume  that 
[f]— >^/E,  k,[t'].  By  induction  on  the  definition  of  — >^/E,  k 

-  If  there  is  a  rule  l  — »  r  if  C  in  R  and  a  ground  substitution  6  such  that  [f]  =  [0(f)], 
[f']  =  [0(r)],  and  E  U  A  U  E'  t-  6(C)  then,  because  of  the  restrictions  on  £'  and  R,  we 
have  E  U  A  h  6(C)  (see  Lemma  3  for  the  details  of  a  similar  proof)  and  therefore  [f]  = 
[0(0]  ^/=E'  [0(r)l  =  m. 

-  If  [f]  =  [/(»i, . . . ,  un)\,  [f']  =  [f(u\ ,  ■  ■■ , «,',)],  and  [«;]— k .[«']  for  some  i,  the  result  follows 

by  induction  hypothesis.  □ 


Now,  a  useful  fact  about  k-encapsulated  theories,  easy  to  prove  from  the  rules  of  equational 
deduction  and  needed  in  the  proof  of  our  main  result,  is: 


Lemma  3.  Let  ( E,E )  be  k-encapsulated  and  let  E'  be  a  set  of  (possibly  conditional)  equations  whose 
left  and  righthand  sides  are  terms  of  kind  k.  Then,  if  no  terms  of  kind  k  appear  in  any  conditions  in  E, 
we  have  TE/E/k'  =  TE/EUE'/k'  for  each  kind  k'  different  from  k. 

6  The  explicit  quantification  of  variables  in  equations  is  necessary  to  avoid  inconsistencies  when  there 
are  kinds  with  no  ground  terms.  In  all  our  proofs  we  take  that  into  account  but,  in  order  to  ease  the 
presentation,  we  will  not  write  them  whenever  it  is  more  convenient. 


13 


Proof.  We  will  prove  that 


£  U  £'  l-  (Vx)  u  =  v  implies  £  l-  (Vx)  u  =  v 


by  structural  induction  on  the  derivation: 


-  (Reflexivity),  (Symmetry),  (Transitivity),  and  (Membership).  Trivial. 

-  (Congruence).  If 

U'Y  —  •  •  •  Hyi  — 

/(«!,...,«„)  =  f(l’ 

is  the  last  step  of  a  derivation  in  £  U  £'  then,  since  the  theory  is  ^-encapsulated,  none  of 
the  iij  or  Vi  is  of  kind  k  and  we  can  apply  the  induction  hypothesis  to  get  £  h  ul  =  v,, 
whence  the  result  follows. 

-  (Replacement).  If 

9(C) 
d(t  =  o 


is  the  last  step  of  a  derivation  in  £  U  £'  for  some  equation  f  =  f'  if  C  in  E  (note  that  by 
hypothesis  it  cannot  belong  to  £'),  we  can  apply  the  induction  hypothesis  to  0(C)  since  it 
cannot  contain  equations  between  terms  of  kind  k ,  and  the  result  follows.  □ 


We  can  now  give  a  sufficient  condition  under  which  preservation  of  atomic  predicates 
is  guaranteed.  Actually,  the  following  result  proves  much  more  since  it  shows  that  BOOL  is 
protected  and  that  the  resulting  theory  is  sort-decreasing  and  terminating. 


Theorem  3.  Let  (£',  E  U  D)  be  the  extension  of(E,E)  with  the  operator  _  [=  _and  equations  for  the 
state  predicates.  Assume  that  (E' ,  £  U  D)  and  (E,  £  U  £')  are  both  ground  confluent,  sort-decreasing, 
and  terminating,  and  both  protect  BOOL.  Assume  also  that  for  any  f  :  k\ . . .  kn  — »  k'  in  E' ,  if  [Bool] 
appears  among  the  argument  kinds  k\, . . .  ,kn,  then  k'  is  not  [Bool]. 

Furthermore,  assume  that  (E,  E)  is  k-encapsulated,  the  left  and  righthand  side  terms  of  the  equations 
in  £'  are  of  kind  k,  and  no  terms  of  kind  k  appear  in  any  conditions  in  E  or  £'.  Then,  if  for  each  equation 
(Vx)  t  =  t'  if  C  in  £'  and  each  p  e  El  we  have 

(+)  £  U  D  h„d  (Vx,  y)C^  (t(x)  \=  P(y)  =  f'(x)  |=  p(xj)) 

then  ( E',E  U  £'  U  D)  is  ground  confluent,  sort-decreasing,  and  terminating,  and  protects  BOOL. 

Proof.  Sort-decreasingness  is  obvious,  since  all  the  equations  in  £  U  £'  U  D  are  sort-decreasing 
by  hypothesis. 

We  show  confluence  and  termination  for  each  kind.  Note  that,  by  the  above  assumptions, 
for  any  kind  £  other  than  [Bool]  or  [Prop]  we  have  Tz\k  —  Tx.,k-  Therefore,  the  only  equations 
applying  to  ground  terms  of  those  kinds  are  those  in  £  U  E',  which  are  ground  confluent  and 
terminating  by  hypothesis.  Similarly,  any  ground  term  p(h,...,tn)  has  subterms  t\,...,t„ 
with  kinds  different  from  [Bool]  or  [Prop],  and  the  ground  confluence  and  termination  for 
each  of  those  kinds,  plus  the  absence  of  equations  for  p,  easily  yields  ground  confluence  and 
termination.  So  we  are  left  with  terms  in  Tr,  [Booi]  which,  by  the  assumptions,  are  either: 

1.  terms  in  Tv /[Bool],  or 

2.  ground  terms  of  the  form  1 1=  p(it),  or 

3.  Boolean  combinations  of  true,  false,  and  terms  of  the  forms  (l)-(2)  above. 
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Since  for  terms  of  type  (1)  only  equations  in  £  U  E'  apply,  their  ground  confluence  and 
termination  follows  by  hypothesis.  It  all  then  boils  down  to  showing  ground  confluence  and 
termination  of  terms  of  type  (2),  because  then  the  type  (3)  case  follows  easily  by  case  analysis 
and  a  non-overlap  confluence  argument  from  types  (l)-(2). 

Note  that  termination  for  terms  of  type  (2)  follows  from  the  observation  that  all  sequences 
rewriting  a  term  of  the  form  t  |=  p(it)  must  be  either  of  the  form  t  |=  p(ii)  — >£u£,  t'  |=  p(n'), 
or  of  the  form  t  |=  p(u)  — >£u£/  t'  f=  p(u')  — >d  b,  with  b  either  true  or  false.  The  second 
kind  of  sequences  are  already  terminating,  and  since  £  U  £'  is  by  hypothesis  terminating, 
we  cannot  have  infinite  sequences  of  the  first  kind:  they  must  all  eventually  reach  a  unique 
normal  form. 

Confluence  now  follows  easily  from  the  fact  that,  given  any  two  £  U  £'  U  D-rewrite 
sequences  starting  at  a  ground  term  t  |=  p(it),  we  can  always  extend  them  to  terminating 
sequences  of  the  form  f  |=  p(u)  — >£u£,  f  (=  p(u')  — >d  b,  1 1=  p(u)  — >£u£,  t"  |=  p(u")  — >d  b'. 
If  b  equals  V ,  we  are  done.  Otherwise,  we  have,  say,  t  |=  p(u)  — >£u£/  t'  \=  p(n')  — >d  true, 
f  |=  p(u)  — »£u£/  t"  |=  p(u")  — >d  false.  But,  since  £  UE'  is  ground  confluent  and  terminating, 
we  also  have  a  sequence  of  the  form  1 1=  p(u)  — >£u£,  canEUE>(t  \=  p(uj)  — b" ,  with  b"  either 
true  or  false,  say  b"  =  true  (the  other  case  is  analogous).  Graphically: 


Since  we  also  have  a  sequence  f"  (=  p(»")  — >£u£,  can  eu  E’(t  1=  p(u)),  we  will  reach  a  contra¬ 
diction  (against  the  protecting  BOOL  hypothesis  for  £  U  D)  if  we  show  that  we  must  have 
£  U  D  I- i„a  canEUE'(t  f=  p(u))  =  false.  This  we  can  easily  prove  by  induction  on  the  number 
of  steps  in  the  sequence  f"  [=  p(n")  — >£u£,  canEUE’(t  |=  p(u)).  For  a  single  step  resulting 
from  an  equation  cp  of  the  form  l  =  r  if  C  and  substitution  0,  it  must  be  £  U  £'  I-  6(C) ; 
the  conditions  in  Lemma  3  are  satisfied  and  hence  £  t-  0(C).  If  (p  €  E,  it  follows  that 
£  U  D  h  f"  |=  p(u ")  =  canEUE'(t  |=  p(it))  and  we  are  done.  Otherwise,  because  of  the  main 
hypothesis  we  have 

£  U  D  h«d  (Vx,  y)  C  — »  (Z  |=  p(y)  =  r\=  p(y )) ; 

then,  since  £  U  D  h  0(C),  also  £  U  D  \-ind  6(u  \=  p(y))  =  9(v  |=  p(y)),  perhaps  extending  0  to  the 
variables  in  y.  The  result  now  follows  by  induction.  □ 

Summing  up,  to  prove  the  preservation  of  state  predicates  when  the  abstraction  equations 
£'  are  unconditional,  often  Theorem  2  will  be  enough.  In  the  conditional  case,  however,  we 
need  to  resort  to  the  more  powerful  Theorem  3.  As  a  consequence  of  this  theorem,  to  prove 
that  the  state  predicates  £7  are  preserved  in  an  equational  abstraction  we  can  use  a  tool  like 
Maude's  ITP  [13]  to  mechanically  discharge  proof  obligations  of  the  form  (+),  under  the 
above  assumptions  on  ‘Rr  £',  and  D.  In  particular,  the  theory  has  to  be  ^-encapsulated  but, 
as  Lemma  1  has  shown,  this  implies  no  loss  of  generality.  We  illustrate  the  use  of  this  more 
general  theorem  with  the  abstraction  for  the  bakery  protocol  presented  in  Section  7.1. 

Notice  that  the  fact  that  the  state  kind  is  encapsulated  does  not  preclude  the  use  of 
recursive  data  structures  in  state  components,  for  example  a  history  variable.  For  instance, 
the  case  study  in  Section  7.2  shows  indeed  encapsulated  states  involving  such  recursive 
structures.  In  fact,  the  encapsulation  requirement  poses  no  real  restriction  in  practice  since 
Lemma  1  allows  us  to  transform  any  rewrite  theory  R  with  state  kind  k  into  an  equivalent 
^'-encapsulated  one. 
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6  The  Deadlock  Difficulty 


The  reason  why  we  have  focused  on  deadlock-free  rewrite  theories  is  because  deadlocks 
can  pose  a  problem,  due  to  a  technical  point  in  the  Kripke  structure  semantics  of  LTL.  As 
emphasized  in  its  definition,  the  transition  relation  of  a  Kripke  structure  is  total ,  and  this 
requirement  is  also  imposed  on  the  Kripke  structures  arising  from  rewrite  theories.  Consider 
then  the  following  specification  of  a  rewrite  theory,  together  with  the  declaration  of  two  state 
predicates: 

mod  F00  is 

inc  SATISFACTION  . 

ops  a  b  c  :  ->  State  [ctor]  . 

ops  pi  p2  :  ->  Prop  [ctor]  . 

eq  (a  |=  pi)  =  true  .  eq  (a  |=  p2)  =  false  . 

eq  (b  |=  p2)  =  true  .  eq  (b  |=  pi)  =  false  . 

eq  (c  |=  pi)  =  true  .  eq  (c  |=  p2)  =  false  . 

rl  a  =>  b  . 
rl  b  =>  c  . 
endm 

The  transition  relation  of  the  Kripke  structure  corresponding  to  this  specification  has  three 
elements:  a  — >  b,  b  — »  c,  and  c  — »  c,  the  last  one  consistently  added  as  a  deadlock  transition 
according  to  the  definition  of  (— »^  iStatei)V 

Suppose  now  that  we  wanted  to  abstract  this  system  and  that  we  decided  to  identify 
states  a  and  c  by  means  of  a  simulation  map  h.  For  that,  according  to  the  method  presented 
in  the  previous  sections,  it  would  be  enough  to  add  the  equation  eq  c  =  a  to  the  above 
specification.  The  resulting  system  is  coherent,  and  a  and  c  satisfy  the  same  state  predicates. 
Note  that  the  corresponding  Kripke  structure  has  only  two  elements  in  its  transition  relation: 
one  from  the  equivalence  class  of  a  to  that  of  b,  and  another  in  the  opposite  direction.  Now, 
since  no  deadlock  can  occur  in  any  of  the  states,  we  have  (— [state])*  =  —*k/e', [State]  for  E'  the 
equation  eq  c  =  a  so  that  no  additional  deadlock  transitions  are  added.  In  particular,  there 
is  no  transition  from  the  equivalence  class  of  a  to  itself,  but  that  means  that  the  resulting 
specification  does  not  correspond  to  the  minimal  system  associated  to  h  in  which  such  a 
transition  does  exist.  The  lack  of  this  idle  transition  is  a  serious  problem,  because  now  we 
can  prove  properties  about  the  supposedly  simulating  system  that  are  actually  false  in  the 
original  one,  for  example,  □  O  p2. 

One  simple  way  to  deal  with  this  difficulty  is  to  just  add  idle  transitions  for  each  of  the 
states  in  the  resulting  specification  by  means  of  a  rule  of  the  form  x  =>  x.  The  resulting 
system,  in  addition  to  all  the  rules  that  the  minimal  system  should  contain,  may  in  fact  have 
some  extra  "junk"  transitions  that  are  not  part  of  it.  Therefore,  we  would  end  up  with  a 
system  that  can  be  soundly  used  to  infer  properties  of  the  original  system  (it  is  immediate  to 
see  that  we  have  a  simulation  map)  but  that  in  general  would  be  coarser  than  the  minimal 
system. 

A  better  way  of  addressing  the  problem  is  to  characterize  the  set  of  deadlock  states.  For 
this,  given  a  rewrite  theory  R  with  no  rewrites  appearing  in  the  conditions  of  its  rules,  we 
introduce  a  new  predicate  enabled  :  k  — »  [Boo/]  for  each  kind  k  in  R  that  will  be  true  for  a 
term  iff  there  is  a  rule  that  can  be  applied  to  it. 

Proposition  3.  Given  a  rewrite  theory  R  =  ( E,E,R )  such  that  for  every  l  — »  r  if  C  in  R  there  are 
no  rewrites  in  C,  we  define  an  extension  ( L',E ')  of  its  equational  part  by  adding: 
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1.  for  each  kind  k  in  E,  a  new  operator  enabled  :  k  — »  [Boo/]  in  E'; 

2.  for  each  ride  l  — »  r  if  C  in  R,  an  equation  enabledfl)  =  true  if  C  in  E',  and 

3.  for  each  operator  f  :  k\...k„  — »  k  in  E  and  for  each  i  with  1  <  i  <  n,  the  equation 
enabled(f(x\, . . .  ,xn))  =  true  if  enabled(xj )  =  true. 

Then,  for  each  term  t  e  Ty, 

E'  \-ind  enabled(t )  =  true  <=>  there  exists  t'  e  Tv  such  that  t  — t' . 

Proof.  Notice  first  that  since  the  terms  are  ground,  the  equation  holds  in  the  initial  model 
iff  it  holds  in  every  model.  We  prove  the  implication  from  left  to  right  by  induction  on 
the  derivation.  The  only  nontrivial  cases  are  when  the  last  rule  of  inference  used  is  either 
(Replacement)  or  (Transitivity).  In  the  case  of  (Replacement),  since  enabled  is  a  new  operator, 
the  equation  used  must  have  been  one  of  those  added  to  E.  Assume  then  that,  for  enabled (/)  = 
true  if  C  in  £'  and  a  substitution  6, 


6(C) 

9(enabled(l))  =  true 

is  the  last  step  of  a  derivation  in  £'  where  /  — »  r  if  C  is  a  rule  in  R.  Then,  by  Lemma  4  below, 
£  i-  6(C)  and  therefore  6(1)  —>}Rk  6(r).  When  the  equation  used  is  enabled(f(x i,  ...,x„))  = 
true  if  enabled(xj)  =  true,  the  result  follows  by  induction  hypothesis  and  the  (Congruence) 
rule  of  the  rewriting  logic  calculus.  Finally,  in  the  case  of  (Transitivity), 

enabled(t)  =  t'  t'  =  true 
enabled(t)  =  true 

By  Lemma  5  below  we  can  distinguish  two  cases.  If  t'  is  true  or  if  there  is  a  smaller  derivation 
of  enabled(t)  =  true,  we  can  apply  the  induction  hypothesis.  If  t'  is  enabled(t")  for  some  t"  such 
that  E'  t  =  t",  the  result  follows  by  the  induction  hypothesis  applied  to  £'  t-  t'  =  true,  and 
the  fact  that  £  b  t  =  t"  by  Lemma  4. 

The  implication  in  the  other  direction  is  proved  by  induction  on  the  definition  of  — ,.  If 
t  =  6(1)  and  t'  =  6(r)  for  some  substitution  6  and  rule  /  — »  r  if  C  in  R,  the  result  follows  by 
instantiating  the  appropriate  equation  among  those  added  to  £'.  If  E  I-  t  =  u,  E  I-  t'  =  v,  and 
u  — v,  by  induction  hypothesis  £'  h  enabledfl)  =  true  and  therefore  £'  h  enabled(t)  =  true. 
Finally,  if  t  =  f(t\,  ...,tn),t'  =  f(t'v ... ,  t'n),  and  /;  — k  f  for  some  i,  by  induction  hypothesis 
we  have  £'  I-  enabled(ti)  =  true  and,  again,  the  result  follows  by  instantiating  the  appropriate 
equation  in  £'.  □ 

Lemma  4.  Under  the  conditions  in  Proposition  3,  for  all  terms  t,  t'  e  Tv(x), 

£'  h  (Vx)  t  =  t'  implies  E  h  (Vx)  t  =  t' . 

Proof.  It  is  straightforward  to  prove  by  induction  that  if  there  is  a  derivation  of  t  =  t'  in  £' 
then  there  is  also  a  derivation,  with  no  occurrences  of  enabled,  of  u  =  it' ,  where  u  and  »'  are 
obtained  from  t  and  t'  by  replacing  all  subterms  of  the  form  enabled(w)  by  true.  Flence,  when 
t,  t'  £  Tv(x)  what  we  get  is  a  derivation  in  £.  □ 

Lemma  5.  Under  the  conditions  in  Proposition  3,  for  all  ground  terms  t  and  t',  if  there  is  a  derivation 
of  enabled(t)  =  t'  or  oft'  =  enabled(t)  in  E',  then  either: 

(a)  t'  is  true, 

(b)  there  is  a  derivation  of  enabled(t)  =  true  in  £'  ivhose  depth  is  less  or  equal,  or 
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(c)  t'  is  enabled(t")  for  some  t"  such  that  E'  h  t  =  t" . 

Proof.  By  induction  on  the  derivation.  Only  (Transitivity)  is  not  immediate.  Given 

enabled®  =  t"  t"  =  t' 
enabled®  =  t' 

we  apply  the  induction  hypothesis  to  enabled(t)  =  t” .  If  it  is  the  case  that  either  (a)  or  ( b )  holds, 
then  ( b )  also  holds  for  the  original  equation.  Otherwise,  t"  is  enabled®'')  and  we  can  apply 
the  induction  hypothesis  to  t"  =  t'.  The  cases  (a)  and  (c)  are  immediate.  Now,  if  ( b )  holds, 
there  is  a  derivation  of  enabled®")  =  true  whose  depth  is  less  than  or  equal  to  the  one  for 
enabled®")  =  t',  and  we  can  use  it  together  with  enabled®  =  enabled®")  to  build  a  derivation 
of  enabled®  =  true  not  deeper  than  the  original  derivation.  □ 

The  enabled  predicate  and  its  properties  are  the  key  ingredients  in  the  proof  of  the  following 
proposition,  which  allows  us  to  transform  an  executable  rewrite  theory  into  a  semantically 
equivalent  one  that  is  both  deadlock-free  and  executable. 

Proposition  4.  Let  R  =  (L,E  U  A,R)  be  an  executable  rewrite  theory.  Given  a  chosen  kind  of  states 
k,  we  can  construct  an  executable  theory  extension  R  c  Rf  =  ( E',E '  U  A,R')  such  that: 

-  Rkdk  is  k' -deadlock  free  and  k' -encapsulated  for  a  certain  kind  k'; 

-  there  is  a  function  h  :  Tp#  — >  T^k  inducing  a  bijection  h  :  Try e'uajc  — *  Tz/Ei>A,k  su°h  tl w t 
for  each  t,  t'  e  T^'x  we  have 

h(t){^%kyh(t')  <=>  t  t'. 

if 

Furthermore,  if  IL  are  state  predicates  for  'R  and  k  defined  by  equations  D,  then  we  can  define  state 
predicates  El  for  “Rkdf  and  k’  by  equations  D'  such  that  the  above  map  h  becomes  a  bijective  APn- 
bisimulation 

h:'K(‘Rkdfrk')n—>'K(‘R,k)1 7. 

Proof.  Define  by  extending  the  equational  theory  (E,  E)  in  R  with  an  enabled  predicate  as 
explained  in  Proposition  3,  and  by  adding  a  new  kind  k',  a  new  operator  {_}  :  k  — »  k' ,  and 
the  rule 

{x}  — »  {x}  if  enabled(x)  +  true 

to  R. 

By  construction,  it  is  clear  that  Rkdf.  is  /c'-encapsu  I  a  ted .  Given  a  ground  term  {f}  with  t  of 
kind  k,  if  there  is  t'  in  R  such  that  t  ~^}Rk  t'  then  {t}  — ^  { t'};  otherwise,  by  Proposition  3, 

£'  l-  enabled(t)  +  true  and,  by  the  rule  we  have  just  added,  {t}  — jt}.  Hence  is  k' -deadlock 

free.  The  function  h  can  be  defined  as  h({t})  =  t  and,  since  no  equations  between  terms  of 
kind  k'  have  been  introduced,  it  induces  a  bijection  and  clearly  satisfies  the  equivalence  in 
the  second  item. 

Finally,  regarding  the  state  predicates,  we  transform  each  equation  (t  \=  p)  =  b  it  C  into 
({1}  1 =  p)  =  b  if  C,  as  in  Lemma  1.  This  implies  that  Ln({t})  =  Lu(t)  and,  together  with  the 
previous  results,  that  h  is  a  strict  bisimulation.  □ 

This  transformation  can  be  carried  out  automatically  within  Maude;  see  [12,  Chapter  15] 
for  details. 
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Note  that  we  have  used  an  inequality  in  the  condition  of  the  new  rule.  This  is  allowed 
in  the  implementation  of  rewriting  logic  in  Maude  under  appropriate  Church-Rosser  and 
termination  assumptions,  but  not  in  rewriting  logic  itself.  However,  by  a  metatheorem  of 
Bergstra  and  Tucker  [3],  under  the  conditions  of  the  proposition  it  is  always  possible  to 
define  such  inequality  in  an  equational  way.  The  reason  not  to  do  it  here  is  because  it  is 
more  convenient  and  concise  to  express  the  rule  this  way,  which  in  addition  is  supported  by 
Maude  in  a  built-in  way  as  the  inequality  predicate  _=/=_. 

7  Case  Studies 

We  show  in  detail  the  application  of  the  techniques  introduced  in  this  paper  with  two 
examples:  the  bakery  protocol  presented  in  Section  4  and  a  communication  protocol. 

In  addition  to  the  cases  presented  here  we  have  also  dealt  successfully  with  a  number 
of  examples  that  have  been  used  in  the  literature  to  illustrate  other  abstraction  methods, 
including  a  readers/writers  system  [29]  (see  also  [12,  Chapter  12]),  the  alternating  bit  protocol 
[36, 14,30],  a  mutual  exclusion  protocol  discussed  in  [16],  and  the  bounded  retransmission 
protocol  [1,2, 14],  which  is  included  in  Appendix  A.  The  abstractions  were  obtained  simply 
by  adding  some  equations  to  the  specifications.  Only  in  the  last  two  cases  was  it  necessary 
to  add  some  extra  rewrite  rules  (allowing  idle/stuttering  transitions  of  the  form  x  — >  x)  to 
guarantee  coherence;  the  case  studies  not  included  in  this  paper  can  be  found  in  [35]. 

7.1  The  Bakery  Protocol  Example  Revisited 

We  can  use  the  bakery  protocol  example  to  illustrate  how  equational  quotient  abstractions 
can  be  used  to  verify  infinite-state  systems.  We  can  define  such  an  abstraction  by  adding  to 
the  equations  of  BAKERY  (see  page  6)  a  set  £'  of  additional  equations  defining  a  quotient  of 
the  set  of  states.  We  can  do  so  in  the  following  module  extending  BAKERY  by  equations  and 
leaving  the  transition  rewrite  rules  unchanged: 

mod  ABSTRACT-BAKERY  is 
including  BAKERY  . 
vars  P  Q  :  Mode  . 
vars  X  Y  :  Nat  . 

eq<P,  0,  Q,  ssY>  =  <P,  0,  Q,  s0>  . 
eq  <  P,  s  s  X,  Q,  0  >  =  <  P,  s  0,  Q,  0  >  . 

ceq  <  P,  s  X,  Q,  s  s  Y  >  =  <  P,  s  s  0,  Q,  s  0  >  if  (s  Y  <  X)  . 

ceq  <  P,  s  s  s  X,  Q,  s  Y  >  =  <  P,  s  s  0,  Q,  s  0  >  if  (Y  <  s  s  X)  . 

ceq  <  P,  s  X,  Q,  s  s  Y  >  =  <  P,  s  0,  Q,  s  0  >  if  not  (s  Y  <  X)  . 

ceq  <P,  ssX,  Q,  sY>=<P,  s0,  Q,  s  0  >  if  not  (Y  <  s  X)  . 

endm 

Note  that  ( P,N ,  Q,M)  =  ( P',N ',  Q',M')  according  to  the  above  equations  iff: 

1.  P  =  P'  and  Q  =  Q', 

2.  N  =  0  iff  N'  =  0, 

3.  M  =  0  iff  M'  =  0, 

4.  M  <N  iff M'  <  TV'. 

Intuitively,  we  do  not  care  about  the  actual  values  of  the  variables,  but  only  about  which  one 
is  greater,  and  whether  they  are  equal  to  zero.  (The  equations  in  the  module  are  more  complex 
than  necessary  at  first  sight  to  rule  out  nontermination  by  means  of  looping  rewrites.) 

Three  key  questions  are: 
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-  Is  the  set  of  states  now  finite? 

-  Does  this  abstraction  correspond  to  a  rewrite  theory  whose  equations  are  ground  Church- 
Rosser  and  terminating? 

-  Are  the  rules  still  ground  coherent? 

The  check  of  termination  follows  from  that  for  the  bigger  module  ABSTRACT-BAKERY-PREDS, 
which  is  discussed  later. 

To  check  local  confluence  we  give  to  the  Maude  Church-Rosser  Checker  (CRC)  tool  a 
version  without  built-ins  of  this  module,  in  which  true  and  false  are  replaced  by  tt  and  ff, 
respectively: 

Maude>  (check  Church-Rosser  ABSTRACT-BAKERY  . ) 

Church-Rosser  checking  of  ABSTRACT-BAKERY 
Checking  solution  : 
ccp 

<  P@:Mode,  s  0,  Q@:Mode,  s  0  > 

=  <  P@:Mode,  s  s  0,  Q@:Mode,  s  0  > 

if  not(s  Y@:Nat  <  s  X*@:Nat)=  tt  /\  s  Y@:Nat  <  s  X*@:Nat  =  tt  . 
ccp 

<  P@:Mode,  s  s  0,  Q@:Mode,  s  0  > 

=  <  P@:Mode,  s  0,  Q@:Mode,  s  0  > 

if  s  Y@:Nat  <  X@:Nat  =  tt  /\  not(s  Y@:Nat  <  X@:Nat)  =  tt  . 

We  can  conclude  local  ground  confluence  if  we  show  that  the  conditions  in  these  condi¬ 
tional  critical  pairs  are  iinsatisfiable.  This  follows  trivially  if  we  can  show  that  ABSTRACT -BAKERY 
protects  both  NAT  and  BOOL.  This,  in  turn,  follows  from  the  following  two  facts: 

-  BAKERY  itself  has  no  equations  and  therefore  trivially  protects  NAT  and  BOOL; 

-  ABSTRACT-BAKERY  is  [BState] -encapsulated  and  all  its  equations  are  of  kind  [BState]; 
therefore,  by  Lemma  3  all  other  kinds  have  identical  data  in  the  initial  models  of  BAKERY 
and  of  ABSTRACT-BAKERY. 

This  leaves  us  with  the  ground  coherence  question.  Checking  a  version  without  built-ins 
with  Maude's  Coherence  Checker  gives  us: 

Maude>  (check  coherence  ABSTRACT-BAKERY  . ) 

Coherence  checking  of  ABSTRACT-BAKERY 
Checking  solution  : 
cp 

<  sleep,  0,  Q@:Mode,  s  0> 

=  <  wait,  s  s  s  Y*@:Nat,  Q@:Mode,  s  s  Y*@:Nat  >  . 
cp 

<  P@:Mode,  s  0,  sleep,  0  > 

=  <  P@:Mode,  s  s  X*@:Nat,  wait,  s  s  s  X*@:Nat  >  . 
ccp 

<  wait,  s  X*@:Nat,  Q@:Mode,  s  s  Y*@:Nat  > 

=  <  crit,  s  X*@:Nat,  Q@:Mode,  s  s  Y*@:Nat  > 

if  s  Y*@:Nat  <  X*@:Nat  =  tt  /\  s  s  Y*@:Nat  <  s  X*@:Nat  =  ff  . 
ccp 

<  wait,  s  X*@:Nat,  Q@:Mode,  s  s  Y*@:Nat  > 

=  <  crit,  s  X*@:Nat,  Q@:Mode,  s  s  Y*@:Nat  > 

if  not(s  Y*@:Nat  <  X*@:Nat)  =  tt  /\  s  s  Y*@:Nat  <  s  X*@:Nat  =  ff  . 
ccp 

<  wait,  s  s  X*@:Nat,  Q@:Mode,  s  Y*@:Nat  > 
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=  <  crit,  s  s  X*@:Nat,  Q@:Mode,  s  Y*@:Nat  > 

if  not(Y*@:Nat  <  s  X*@:Nat)  =  tt  /\  s  Y*@:Nat  <  s  s  X*@:Nat  =  ff  . 
ccp 

<  wait,  s  s  s  X*@:Nat,  Q@:Mode,  s  Y*@:Nat  > 

=  <  crit,  s  s  s  X*@:Nat,  Q@:Mode,  s  Y*@:Nat  > 

if  Y*@:Nat  <  s  s  X*@:Nat  =  tt  /\  s  Y*@:Nat  <  s  s  s  X*@:Nat  =  ff  . 
ccp 

<  P@:Mode,  s  X*@:Nat,  wait,  s  s  Y*@:Nat  > 

=  <  P@:Mode,  s  X*@:Nat,  crit,  s  s  Y*@:Nat  > 

if  s  Y*@:Nat  <  X*@:Nat  =  tt  /\  s  s  Y*@:Nat  <  s  X*@:Nat  =  tt  . 
ccp 

<  P@:Mode,  s  X*@:Nat,  wait,  s  s  Y*@:Nat  > 

=  <  P@:Mode,  s  X*@:Nat,  crit,  s  s  Y*@:Nat  > 

if  not(s  Y*@:Nat  <  X*@:Nat)  =  tt  /\  s  s  Y*@:Nat  <  s  X*@:Nat  =  tt  . 
ccp 

<  P@:Mode,  s  s  X*@:Nat,  wait,  s  Y*@:Nat  > 

=  <  P@:Mode,  s  s  X*@:Nat,  crit,  s  Y*@:Nat  > 

if  not(Y*@:Nat  <  s  X*@:Nat)  =  tt  /\  s  Y*@:Nat  <  s  s  X*@:Nat  =  tt  . 
ccp 

<  P@:Mode,  s  s  s  X*@:Nat,  wait,  s  Y*@:Nat  > 

=  <  P@:Mode,  s  s  s  X*@:Nat,  crit,  s  Y*@:Nat  > 

if  Y*@:Nat  <  s  s  X*@:Nat  =  tt  /\  s  Y*@:Nat  <  s  s  s  X*@:Nat  =  tt  . 

Since  NAT  and  BOOL  are  protected,  the  only  pairs  with  satisfiable  conditions  are: 
cp 

<  sleep,  0,  Q@:Mode,  s  0  > 

=  <  wait,  s  s  s  Y*@:Nat,  Q@:Mode,  s  s  Y*@:Nat  >  . 
cp 

<  P@:Mode,  s  0,  sleep,  0  > 

=  <  P@:Mode,  s  s  X*@:Nat,  wait,  s  s  s  X*@:Nat  >  . 
ccp 

<  wait,  s  X*@:Nat,  Q@:Mode,  s  s  Y*@:Nat  > 

=  <  crit,  s  X*@:Nat,  Q@:Mode,  s  s  Y*@:Nat  > 

if  not(s  Y*@:Nat  <  X*@:Nat)  =  tt  /\  s  s  Y*@:Nat  <  s  X*@:Nat  =  ff  . 
ccp 

<  wait,  s  s  X*@:Nat,  Q@:Mode,  s  Y*@:Nat  > 

=  <  crit,  s  s  X*@:Nat,  Q@:Mode,  s  Y*@:Nat  > 

if  not(Y*@:Nat  <  s  X*@:Nat)  =  tt  /\  s  Y*@:Nat  <  s  s  X*@:Nat  =  ff  . 
ccp 

<  P@:Mode,  s  X*@:Nat,  wait,  s  s  Y*@:Nat  > 

=  <  P@:Mode,  s  X*@:Nat,  crit,  s  s  Y*@:Nat  > 

if  s  Y*@:Nat  <  X*@:Nat  =  tt  /\  s  s  Y*@:Nat  <  s  X*@:Nat  =  tt  . 
ccp 

<  P@:Mode,  s  s  s  X*@:Nat,  wait,  s  Y*@:Nat  > 

=  <  P@:Mode,  s  s  s  X*@:Nat,  crit,  s  Y*@:Nat  > 

if  Y*@:Nat  <  s  s  X*@:Nat  =  tt  /\  s  Y*@:Nat  <  s  s  s  X*@:Nat  =  tt  . 

all  of  which  can  be  inductively  rewritten.  We  can  illustrate  the  method  of  inductive  proof 
with  the  first  unconditional  and  the  first  conditional  pair. 

The  first  unconditional  pair  is: 

cp  <  sleep,  0,  Q@:Mode,  s  0  >  = 

<  wait,  s  s  s  Y*@:Nat,  Q@:Mode,  s  s  Y*@:Nat  >  . 

We  can  first  inductively  prove  the  equation 
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eq  <  wait,  s  s  s  Y:Nat,  Q:Mode,  s  s  Y:Nat  >  =  <  wait,  2,  Q,  1  >  . 

in  the  module  ABSTRACT-BAKERY,  by  induction  on  Y :  Nat,  which  gives  us  the  following  two 
goals: 

eq  <  wait,  s  s  s  0,  Q:Mode,  s  s  0  >  =  <  wait,  2,  Q,  1  >  . 

ceq  <  wait,  s  s  s  s  Y:Nat,  Q:Mode,  s  s  s  Y:Nat  >  =  <  wait,  2,  Q,  1  > 
if  <  wait,  s  s  s  Y:Nat,  Q:Mode,  s  s  Y:Nat  > 

=  <  wait ,  2 ,  Q,  1  >  . 

These  two  goals  can  be  easily  proved  either  using  the  ITP  [13],  or  directly  in  Maude  by 
simplifying  the  first  goal  to  a  syntactic  identity,  and  by  applying  the  Theorem  of  Constants  to 
the  second  goal  and  adding  the  premise  (instantiated  with  a  constant)  as  an  extra  lemma  to 
simplify  the  conclusion  (also  instantiated  with  a  constant)  to  a  syntactic  identity 

We  can  then  check  that  the  above  critical  pair  fills  in  by  using  the  search  command  with 
the  modifier  =>1,  which  returns  all  one-step  rewrites. 

Maude>  search  in  ABSTRACT-BAKERY  :  <  sleep,  0,  Q,  1  >  =>1  X:BState  . 

Solution  1  (state  1) 

X:BState  -->  <  wait,  2,  Q,  1  > 

No  more  solutions. 

Similarly,  consider  the  first  conditional  critical  pair  which,  eliminating  the  second  redun¬ 
dant  condition,  we  can  simplify  to: 

ccp  <  wait,  s  X:Nat,  Q:Mode,  s  s  Y:Nat  >  = 

<  crit,  s  X:Nat,  Q:Mode,  s  s  Y:Nat  > 
if  s  Y:Nat  <  X:Nat  =  false  . 

Inducting  on  X,  using  the  following  equations  as  inductive  lemmas, 

eq  s  X  <  s  Y  =  X  <  Y  . 

eq  0  <  s  X  =  true  . 

eq  s  X  <  0  =  false  . 

eq  X  <  s  X  =  true  . 

eq  s  X  <  X  =  false  . 

ceq  X  <  s  Y  =  true  if  X  <  Y  . 

ceq  s  X  <  Y  =  false  if  X  <  Y  =  false  . 

and  simplifying  conditions,  we  obtain  the  following  two  instances: 

cp  <  wait,  s  0,  Q:Mode,  s  s  Y:Nat  >  =  <  crit,  s  0,  Q:Mode,  s  s  Y:Nat  > 
ccp  <  wait,s  s  X:Nat,  Q:Mode,  s  s  Y:Nat  >  = 

<  crit,  s  s  X:Nat,  Q:Mode,  s  s  Y:Nat  > 
if  Y:Nat  <  X:Nat  =  false  . 

The  first  pair's  righthand  side  has  canonical  form  <  crit,  1,  Q,  1  >;  we  can  fill  in  the  pair 
with  the  search  command: 

Maude>  search  [ , 1] 

<  wait,  s  0,  Q:Mode,  s  s  Y:Nat  >  =>+  X:BState  .  —  1  or  more  rewrites 

Solution  1  (state  1) 

X:BState  -->  <  crit,  1,  Q,  1  > 

No  more  solutions. 
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Using  the  Theorem  of  Constants,  we  can  convert  the  variables  X  and  Y  in  the  second  pair  into 
constants  a  and  b  and  assume  not  (b  <  a).  Then  the  state  <  crit,  s  s  a,  Q:Mode,  s  s  b  > 
has  canonical  form  <  crit,  1,  Q,  1  >,  and  we  can  fill  in  this  second  pair  by  giving  the 
search  command: 

Maudes  search  [ , 1]  <  wait,  s  s  a,  Q:Mode,  s  s  b  >  =>+  X:BState  . 

Solution  1  (state  1) 

X:BState  -->  <  crit,  1,  Q,  1  > 

No  more  solutions. 

Another  pending  question  is  the  deadlock  freedom  of  ABSTRACT-BAKERY.  To  prove  that 
it  indeed  holds  we  can  specify  an  enabled  predicate,  as  explained  in  Section  6,  that  returns 
true  when  applied  to  a  term  iff  that  term  represents  a  non-deadlocked  state.  We  need  the 
following  equations: 

eq  enabled(<  sleep,  X,  Q,  Y  >)  =  true  . 

eq  enabled(<  wait,  X,  Q,  0  >)  =  true  . 

ceq  enabled(<  wait,  X,  Q,  Y  >)  =  true  if  not  (Y  <  X)  . 

eq  enabled(<  crit,  X,  Q,  Y  >)  =  true  . 

eq  enabled(<  P,  X,  sleep,  Y  >)  =  true  . 

eq  enabled(<  P,  Q,  wait,  Y  >)  =  true  . 

ceq  enabled(<  P,  X,  wait,  Y  >)  =  true  if  Y  <  X  . 

eq  enabled(<  P,  X,  crit,  Y  >)  =  true  . 

Then,  the  equation  we  have  to  prove  to  ensure  deadlock  freedom  is 

eq  enabled(S)  =  true  . 

where  S  is  a  variable  of  sort  State.  The  proof  proceeds  by  induction  on  the  first  and  third 
components  of  the  state  and  can  be  done  straighforwardly  with  the  ITP.  Alternatively,  we 
could  also  prove  the  result  in  a  more  automated  way  by  using  the  SCC  tool.  In  our  case  the 
tool  returns  that  the  module  is  sufficiently  complete  which  means,  in  particular,  that  all  terms 
of  the  form  enabled(f)  can  be  reduced  to  a  canonical  term  in  the  sort  Bool  and,  due  to  the 
equations  used,  this  term  must  be  true  as  required. 

What  about  state  predicates?  Are  they  preserved  by  the  abstraction?  State  predicates  are 
imported,  together  with  ABSTRACT-BAKERY,  in  the  module 

mod  ABSTRACT-BAKERY-PREDS  is 
pr  ABSTRACT-BAKERY  . 
inc  BAKERY-PREDS  . 
endm 

What  remaining  tasks  do  we  have  left  to  show  that  we  have  an  executable  quotient 
equational  abstraction?  First  of  all,  we  need  to  show  that  the  equations  in  BAKERY-PREDS  are 
ground  confluent,  sort-decreasing,  and  terminating,  and  that  BAKERY-PREDS  protects  BOOL. 
The  check  of  termination  follows  from  that  of  ABSTRACT-BAKERY-PREDS,  which  is  discussed 
later.  The  local  confluence  test  gives  us: 

Maude>  (check  Church-Rosser  BAKERY-PREDS  .) 

Checking  solution: 

All  critical  pairs  have  been  joined.  The  specification  is 
locally-confluent . 

The  specification  is  sort-decreasing. 
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and  the  sufficient  completeness  test  gives  us: 

Maude>  (see  BAKERY-PREDS  .) 

Success:  BAKERY-PREDS  is  sufficiently  complete  under  the  assumption 
that  it  is  weakly-normalizing,  confluent,  and  sort-decreasing. 

and  since  true  and  false  are  in  canonical  form  this  shows  that  BAKERY-PREDS  protects  BOOL. 
Next  we  have  to  show  that  ABSTRACT-BAKERY-PREDS  protects  BOOL  (which  will  ensure  that  the 
state  predicates  are  preserved  by  the  abstraction),  and  is  ground  confluent,  sort-decreasing, 
and  terminating.  Since  the  equations  in  ABSTRACT-BAKERY  are  all  of  the  kind  [BState],  we 
can  apply  Theorem  3.  All  the  equalities  in  Theorem  3's  hypothesis  can  be  easily  proved  by 
induction,  either  manually  or  with  the  ITP,  using  case  analysis  on  the  constants  of  sort  Mode, 
since:  (i)  the  equations  in  ABSTRACT-BAKERY  leave  modes  unchanged;  and  (ii)  the  value  of 
each  state  predicate  only  depends  on  the  mode  of  one  of  the  two  processes. 

All  we  have  left  is  checking  termination  of  the  equations  in  the  modules  BAKERY-PREDS  and 
ABSTRACT-BAKERY.  But  since  their  union  are  the  equations  in  ABSTRACT-BAKERY-PREDS,  it  is 
enough  to  check  ABSTRACT-BAKERY-PREDS  is  terminating.  This  check  succeeds  with  the  MTT 
tool  [21],  after  replacing  the  predefined  modules  NAT  and  BOOL  by  equivalent  specifications 
(predefined  modules  are  not  handled  by  the  MTT  tool  at  present). 

In  other  words,  we  have  just  shown  that,  for  77  the  state  predicates  declared  in  the  module 
BAKERY-PREDS  (page  10),  we  have  a  strict  quotient  simulation  map, 

Tf (BAKERY-PREDS,  State)n  — >  ^(ABSTRACT-BAKERY-PREDS,  State)n. 

Therefore,  we  can  establish  the  mutual  exclusion  property  of  BAKERY-PREDS  by  model  check¬ 
ing  in  ABSTRACT-BAKERY-CHECK  the  following: 

Maude>  reduce  modelCheck(initial ,  []"  (lerit  /\  2crit))  . 
result  Bool:  true 

Likewise,  we  can  establish  the  liveness  property  of  BAKERY-PREDS  by  model  checking  in 
ABSTRACT-BAKERY-CHECK: 

Maude>  reduce  modelCheck(initial ,  (lwait  |->  lerit)  /\  (2wait  | ->  2crit))  . 
result  Bool:  true 

7.2  A  Communication  Protocol 

Our  second  example  is  a  protocol  for  in-order  communication  of  messages  between  a  sender 
and  a  receiver  in  an  asynchronous  communication  medium.  To  guarantee  that  the  messages 
are  received  in  the  correct  order,  messages  include  a  sequence  number  and  both  sender  and 
receiver  keep  a  counter  that  refers  to  the  message  they  are  currently  working  with.  The  sender 
can,  at  any  moment,  nondeterministically  choose  the  next  value  (in  the  set  {a ,  b ,  c[  in  this 
presentation)  which  is  then  paired  with  the  sender's  counter  to  compose  a  message  that  is 
then  released  to  the  medium;  the  value  itself  is  also  appended  to  a  list  of  sent  values  owned 
by  the  sender.  The  receiver  has  a  corresponding  list  of  received  values:  the  purpose  of  these 
lists  is  basically  to  allow  us  to  state  the  property  we  are  interested  in  proving  for  the  system. 
When  the  receiver  "sees"  a  message  with  a  sequence  number  equal  to  its  current  counter,  it 
removes  it  from  the  medium  and  adds  its  value  to  its  list  of  received  values. 

The  following  is  the  specification  in  Maude  of  the  protocol,  where  there  are  only  three 
different  types  of  messages.  States  are  represented  as  triples  <  S ,  MS ,  R  >,  where  S  repre¬ 
sents  the  status  of  the  sender,  R  that  of  the  receiver,  and  MS  the  asynchronous  medium  (a  soup 
of  messages). 
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mod  PROTOCOL  is 
protecting  NAT  . 

sorts  Value  ValueList  LocalState  Message  MessageSoup  State  . 
subsort  Value  <  ValueList  . 
subsort  Message  <  MessageSoup  . 

ops  a  b  c  :  ->  Value  [ctor]  . 
op  nil  :  ->  ValueList  [ctor]  . 

op  :  ValueList  ValueList  ->  ValueList  [ctor  assoc  id:  nil]  . 
op  Is  :  Nat  ValueList  ->  LocalState  [ctor]  . 

op  msg  :  Nat  Value  ->  Message  [ctor]  . 
op  null  :  ->  MessageSoup  [ctor]  . 

op  :  MessageSoup  MessageSoup  ->  MessageSoup  [ctor  assoc  comm  id:  null]  . 

op  :  LocalState  MessageSoup  LocalState  ->  State  [ctor]  . 

op  initial  :  ->  State  . 

vars  N  M  :  Nat  . 

var  X  :  Value 

vars  L  LI  L2  :  ValueList  . 

var  MS  :  MessageSoup  . 

vars  R  S  :  LocalState  . 

eg  initial  =  <  ls(®,  nil),  null,  ls(®,  nil)  >  . 


rl 

< 

ls(N, 

L), 

MS, 

R  >  =>  <  ls(s(N) , 

L 

a)  , 

MS 

;  msg(N, 

a)  , 

R 

> 

rl 

< 

ls(N , 

L), 

MS, 

R  >  =>  <  ls(s(N) , 

L 

b), 

MS 

;  msg(N, 

b), 

R 

> 

rl 

< 

ls(N , 

L), 

MS, 

R  >  =>  <  ls(s(N) , 

L 

c)  , 

MS 

;  msg(N, 

c)  , 

R 

> 

rl 

< 

S,  msg(N, 

X) 

MS,  ls(N,  L)  >  = 

>  < 

S,  MS, 

ls(s(N) , 

L  : 

X) 

> 

endm 


In  this  specification,  terms  of  sort  LocalState,  constructed  with  the  operator  Is,  are 
used  to  represent  the  local  states  of  the  sender  and  the  receiver.  The  first  argument  of  Is 
corresponds  to  the  counter  while  the  second  one  is  the  list  of  messages  already  sent  or 
received.  Note  the  important  use  of  matching  and  rewriting  modulo  axioms  of  associativity 
(assoc)  and  identity  (id)  for  the  append  operator  on  lists,  and  modulo  associativity 
(assoc),  commutativity  (comm),  and  identity  (id)  for  the  multiset  union  operator  that 
builds  soups  of  messages.  These  axioms  correspond  to  the  axioms  A  in  our  theoretical 
description  of  a  rewrite  theory  R  =  (L,E  U  A,  R)  and  are  used  by  Maude  to  apply  equations 
and  rules  modulo  such  declared  axioms  A. 

The  property  we  would  like  our  system  to  have  is  that  messages  are  delivered  in  the 
correct  order.  Thanks  to  the  sender 's  and  receiver 's  lists  this  can  be  formally  expressed  by 
the  formula  □  prefix,  where  prefix  is  an  atomic  proposition  that  holds  in  those  states  in 
which  the  receiver's  list  is  a  prefix  of  the  sender's  list.  In  Maude,  this  can  be  expressed  as 
follows: 

mod  PROTOCOL-PREDS  is 
inc  SATISFACTION  . 
inc  PROTOCOL  . 

op  prefix  :  ->  Prop  [ctor]  . 

vars  M  N  :  Nat  . 

var  V  :  Value  . 

vars  LI  L2  :  ValueList  . 
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var  MS  :  MessageSoup  . 


eq 

« 

ls(N, 

LI 

:  L2) 

MS 

ls(M, 

LI)  > 

= 

prefix)  = 

true  . 

eq 

« 

ls(N, 

nil),  MS, 

ls(M,  V 

LI)  > 

= 

prefix)  = 

false  . 

eq 

« 

ls(N, 

b 

L2)  , 

MS, 

ls(M, 

a 

Ll) 

> 

|=  prefix) 

=  false  . 

eq 
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c 

L2)  , 

MS, 

ls(M, 

a 

LI) 

> 

|=  prefix) 

=  false  . 

eq 

« 
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L2)  , 

MS, 

ls(M, 
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Ll) 

> 

|=  prefix) 

=  false  . 

eq 
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MS, 

ls(M, 
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Ll) 

> 

|=  prefix) 

=  false  . 

eq 

« 

ls(N, 
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L2)  , 

MS, 

ls(M, 

c 

Ll) 

> 

|=  prefix) 

=  false  . 

eq 

« 

ls(N, 

b 

L2)  , 

MS, 

ls(M, 

c 

Ll) 

> 

|=  prefix) 

=  false  . 

endm 


As  was  the  case  with  the  bakery  protocol,  model  checking  cannot  be  directly  applied 
because  the  set  of  states  reachable  from  initial  is  infinite.  There  are,  indeed,  two  different 
sources  of  infiniteness  in  this  example.  The  first  one  corresponds  to  the  counters,  that  are 
natural  numbers  that  can  reach  arbitrarily  large  numbers  and  hence  arbitrarily  long  lists 
of  sent  and  received  messages.  The  second  one  is  the  communication  medium,  which  is 
unbounded  and  can  contain  an  arbitrary  number  of  messages.  To  deal  with  this  infiniteness 
and  to  be  able  to  apply  model  checking,  we  need  to  define  an  abstraction;  the  corresponding 
proof  obligations  are  discharged  in  a  way  similar  to  that  for  the  bakery  example  and  hence 
we  do  not  go  into  as  much  detail. 

First  of  all,  a  state  whose  corresponding  sender's  and  receiver's  lists  have  the  same  value 
as  their  first  element  can  be  identified  with  the  state  resulting  from  removing  that  value  from 
both  lists.  This  can  be  expressed  by  means  of  the  equation: 

eq  <  ls(N,  X  :  LI),  MS,  ls(M,  X  :  L2)  >  =  <  ls(N,  LI),  MS,  ls(M,  L2)  >  . 

Secondly,  if  at  a  certain  time  both  counters  are  equal  and  there  are  no  messages  in  the 
medium,  then  the  counters  can  be  reset  to  zero. 

eq  <  ls(s(N),  LI),  null,  ls(s(N),  L2)  >  =  <  ls(0,  LI),  null,  ls(0,  L2)  >  . 

(The  pattern  s(N)  in  this  equation  is  used  to  ensure  termination.) 

Finally,  if  in  the  medium  of  the  current  state  there  is  a  message  msg(N,  X)  and  the 
receiver's  counter  is  N,  we  can  identify  this  state  with  one  in  which  the  message  has  been 
read  by  the  receiver. 

eq  <  ls(M,  LI  :  X  :  L2),  msg(N,  X)  ;  MS,  ls(N,  LI)  >  = 

<  ls(M,  LI  :  X  :  L2),  MS,  ls(s(N) ,  LI  :  X)  >  . 

The  equation  is  unconditional,  but  note  that  in  order  to  enforce  that  either  both  states  satisfy 
prefix  or  none  does,  the  term  corresponding  to  the  sender  is  required  to  match  a  certain 
pattern  on  the  lefthand  side  of  the  equation. 

Before  applying  model  checking  to  this  new  system  we  must  again  ask  ourselves  whether 
the  equations  are  still  Church-Rosser  and  terminating,  the  rules  are  ground  coherent,  and 
the  predicates  are  preserved.  Termination  is  clear  because  the  number  of  messages  keeps 
decreasing  and  deadlock  freedom  too  because  it  is  always  possible  to  add  a  new  element  to 
the  list  of  sent  messages. 

The  Church-Rosser  property  is  not  so  straightforward  due  to  the  overlapping  of  the  first 
and  the  third  equations:  if  the  next  message  to  be  delivered  appears  also  as  the  head  of  the 
lists  of  messages  associated  to  the  sender  and  the  receiver,  we  can  either  append  it  to  the 
end  of  the  receiver's  list  using  the  third  equation,  or  remove  it  from  both  lists  using  the  first 
one,  and  in  this  last  case  it  does  not  seem  possible  to  further  reduce  (equationally)  the  state. 
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Nonetheless,  the  Church-Rosser  property  indeed  holds;  informally,  what  happens  is  that  in 
order  for  the  third  equation  to  apply  the  sender  and  the  receiver  have  to  be  such  that  we  are 
going  to  be  able  to  remove  all  messages  from  the  receiver's  list;  after  that,  the  message  can 
be  appended  to  the  end  of  the  receiver's  list  as  wanted. 

However,  the  resulting  rewrite  theory  is  not  coherent.  On  the  one  hand,  note  that  the  last 
equation  in  the  abstraction  is  actually  a  particular  case  of  the  last  rewrite  rule.  The  term 

<  ls(5,  a  :  b  :  c) ,  msg(3,  b)  ,  ls(3,  a)  > 
for  example,  can  be  reduced  to 

<  ls(5,  a  :  b  :  c) ,  null,  ls(4,  a  :  b)  > 

by  applying  either  the  equation  or  the  rule,  but  this  term,  in  turn,  cannot  be  rewritten  by  any 
rule  to  a  term  to  which  it  is  provably  equal,  as  should  be  the  case  to  have  coherence.  To  solve 
this,  it  is  enough  to  add  the  following  idle  rule: 

rl  <  ls(M,  LI  :  X  :  L2),  MS,  ls(s(N) ,  LI  :  X)  >  => 

<  ls(M,  LI  :  X  :  L2),  MS,  ls(s(N) ,  LI  :  X)  >  . 

On  the  other  hand,  the  second  equation  can  also  raise  a  coherence  problem.  For  example: 

<  ls(5,Ll),  null,  ls(5,L2)  >  — > <  ls(6,Ll  :  a),  msg(5,a),  ls(5,L2)  > 

II  II? 

<  ls(0,Ll),  null,  ls(0,L2)  >  — » <  ls(l,Ll  :  a),  msg(0,a),  ls(0,L2)  > 

Suppose  now  that  L 1  and  L2  are  equal:  then,  both  terms  on  the  righthand  side  can  be  reduced 
by  the  equations  to  the  term 

<  ls(0,  nil),  null,  ls(0,  nil)  > 

and  hence  we  have  coherence.  This,  however,  is  not  true  in  general  but  can  be  enforced  by 
requiring  LI  and  L2  to  be  nil,  and  thus  equal,  for  the  second  equation  to  be  applied: 

eq  <  ls(s(N),  nil),  null,  ls(s(N),  nil)  >  =  <  ls(0,  nil),  null,  ls(0,  nil)  >  . 

The  resulting  abstraction  is  then  given  as  follows: 

mod  ABSTRACT-PROTOCOL-PREDS  is 
inc  PROTOCOL -PREDS  . 

vars  M  N  :  Nat  . 
vars  LI  L2  :  ValueList  . 
var  MS  :  MessageSoup  . 
var  X  :  Value  . 

eq  <  ls(N,  X  :  LI),  MS,  ls(M,  X  :  L2)  >  =  <  ls(N,  LI),  MS,  Is  CM,  L2)  >  . 

eq  <  ls(s(N),  nil),  null,  ls(s(N),  nil)  >  =  <  ls(0,  nil),  null,  ls(0,  nil)  >  . 

eq  <  ls(M,  LI  :  X  :  L2) ,  msg(N,  X)  ;  MS,  ls(N,  LI)  >  = 

<  ls(M,  LI  :  X  :  L2),  MS,  ls(s(N) ,  LI  :  X)  >  . 

—  coherence 

rl  <  ls(M,  LI  :  X  :  L2) ,  MS,  ls(s(N) ,  LI  :  X)  >  => 

<  ls(M,  LI  :  X  :  L2),  MS,  ls(s(N) ,  LI  :  X)  >  . 

endm 
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Using,  for  example,  the  SCC  tool  shows  that  both  the  modules  PROTOCOL-PREDS  and 
ABSTRACT-PROTOCOL-PREDS  are  sufficiently  complete.  In  particular,  they  both  preserve  BOOL 
and  then,  by  Theorem  2,  the  state  predicate  prefix  is  preserved. 

Our  desired  property  can  now  be  finally  checked: 

Maude>  reduce  modelCheck(initial ,  []  prefix)  . 
result  Bool:  true 

It  is  worth  noting  the  following  remark  about  the  previous  lines.  The  reason  why  we 
achieve  coherence  is  because  the  abstraction  collapses  almost  everything!  In  particular,  every 
reachable  state  is  simplified  by  the  abstraction  equations  to  the  term 

<  ls(0,  nil),  null,  ls(®,  nil)  >  . 

8  Related  Work  and  Conclusions 

In  [9]  the  simulation  of  a  system  AI  by  another  At'  through  a  surjective  function  h  was  defined 
and  the  optimal  simulation  Aljhn  was  identified.  The  idea  of  simulating  by  a  quotient  has 
been  further  explored  in  [10,8,2,27,30, 16]  among  others,  although  the  construction  in  [16] 
requires  a  Galois  connection  instead  of  just  a  function.  Theorem  proving  is  proposed  in  [2] 
to  construct  the  transition  relation  of  the  abstract  system,  and  in  [30]  to  prove  that  a  function 
is  a  representative  function  that  can  be  used  as  input  to  an  algorithm  to  extract  Ak'ijn  out  of 
AI.  While  those  uses  of  theorem  proving  focus  on  the  correctness  of  the  abstract  transition 
relation,  our  method  focuses  on  making  the  minimal  transition  relation  (which  is  correct  by 
construction)  computable,  and  on  proving  the  preservation  of  the  labeling  function.  In  [9, 10], 
on  the  other  hand,  the  minimal  model  Al|hn  is  discarded  in  favor  of  less  precise  but  easier  to 
compute  approximations;  this  would  correspond,  in  our  approach,  to  the  addition  of  rewrite 
rules  to  the  specification  to  simplify  the  proofs  of  the  proof  obligations  (which  can  indeed 
be  a  reasonable  alternative  way  of  applying  some  of  the  techniques  presented  here  within  a 
"lighter"  methodology).  In  all  the  papers  mentioned,  two  states  can  become  identified  only 
if  they  satisfy  the  same  atomic  propositions;  our  definition  of  simulation  is  more  general,  but 
we  have  not  yet  exploited  this. 

The  equational  abstraction  method  that  we  have  presented  seems  to  apply  in  practice 
to  a  good  number  of  examples  discussed  in  the  literature.  But  we  need  to  further  test  its 
applicability  on  a  wider  and  more  challenging  range  of  examples.  Also,  the  method  itself 
can  be  generalized  along  several  directions.  For  example,  the  equational  theory  extension 
(E,E  U  A)  c  (E,E  U  A  U  E')  is  generalized  in  [32]  to  an  arbitrary  theory  interpretation  H  : 
(E,E  U  A)  — >  (27,  £"),  allowing  arbitrary  transformations  on  the  data  representation  of 
states.  A  particular  instance  of  this  is  predicate  abstraction  [38, 14].  Under  this  approach,  the 
abstract  domain  is  a  Boolean  algebra  over  a  set  of  assertions  and  the  abstraction  function, 
typically  as  part  of  a  Galois  connection,  is  symbolically  constructed  as  the  conjunction  of 
all  expressions  satisfying  a  certain  condition,  which  is  proved  using  theorem  proving.  This 
corresponds  in  our  framework  to  a  theory  interpretation  H  :  (E,  E)  — >  (TUT',£UE'),  with  E' 
introducing  operators  of  the  form  p  :  State  — >  Bool,  and  with  H  mapping  states  S  to  Boolean 
tuples  (pi(S), . . .  ,pn(S)).  Similarly,  simulation  maps  between  different  sets  AP  and  AP'  of  state 
predicates  can  be  considered,  yielding  another  increase  in  generality  when  relating  systems. 
Yet  another  direction  along  which  our  methods  can  be  generalized  is  considering  stuttering 
notions  of  simulation  and  bisimulation  [6, 37, 30]  allowing  changes  in  the  atomicity  levels 
of  transitions  when  relating  systems.  All  these  extensions,  together  with  the  more  general 
representations  of  simulations  in  rewriting  logic  by  means  of  equationally  defined  functions 
or  rewrite  relations,  are  studied  in  [31]. 
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A  The  Bounded  Retransmission  Protocol 

In  this  appendix  we  discuss  in  some  detail  a  more  complex  example,  the  bounded  retrans¬ 
mission  protocol  (BRP)  [24, 17].  The  BRP  is  an  extension  of  the  alternating  bit  protocol  where 
a  limit  is  placed  on  the  number  of  transmissions  of  the  messages;  the  following  description 
is  borrowed  from  [1], 

At  the  sender  side,  the  protocol  requests  a  sequence  of  data  s  =  d], ... , dn  (action  REQ)  and 
communicates  a  confirmation  which  can  be  either  SOK,  SNOK,  or  SDNK.  The  confirmation 
SOK  means  that  the  file  has  been  transferred  successfully,  SNOK  means  that  the  file  has  not 
been  transferred  completely,  and  SDNK  means  that  the  file  may  not  have  been  transferred 
completely.  This  occurs  when  the  last  datum  dn  is  sent  but  not  acknowledged. 

Now,  at  the  receiver  side,  the  protocol  delivers  each  correctly  received  datum  with  an 
indication  which  can  be  RFST,  RINC,  ROK,  or  RNOK.  The  indication  RFST  means  that  the 
delivered  datum  is  the  first  one  and  more  data  will  follow,  RINC  means  that  the  datum  is 
an  intermediate  one,  and  ROK  means  that  this  was  the  last  datum  and  the  file  is  completed. 
However,  when  the  connection  with  the  sender  is  broken,  an  indication  RNOK  is  delivered 
(without  datum). 

In  Maude,  the  different  status  of  sender  and  receiver,  messages,  sequences  of  messages, 
and  the  labels  of  the  transitions  can  be  represented  as  follows: 

fmod  DATA  is 

sorts  Sender  Receiver  . 
sort  Label  . 
sorts  Msg  MsgL  . 
subsort  Msg  <  MsgL  . 

ops  0s  Is  2s  3s  4s  5s  6s  7s  :  ->  Sender  [ctor]  . 
ops  Or  lr  2r  3r  4r  :  ->  Receiver  [ctor]  . 

ops  none  req  snok  sok  sdnk  rfst  rnok  rinc  rok  :  ->  Label  [ctor]  . 

ops  0  1  fst  last  :  ->  Msg  [ctor]  . 
op  nil  :  ->  MsgL  [ctor]  . 

op  :  MsgL  MsgL  ->  MsgL  [ctor  assoc  id:  nil]  . 
endfm 


31 


Properties  that  the  service  should  satisfy  include  the  following: 


1.  A  request  REQ  must  be  followed  by  a  confirmation  (SOK,  SNOK,  or  SDNK)  before  the 
next  request. 

2.  An  RFST  indication  must  be  followed  by  one  of  the  two  indications  ROK  or  RNOK  before 
the  beginning  of  a  new  transmission  (new  request  of  a  sender). 

3.  An  SOK  confirmation  must  be  preceded  by  an  ROK  indication. 

4.  An  RNOK  indication  must  be  preceded  by  an  SNOK  or  SDNK  confirmation  (abortion). 

The  BRP  is  modelled  in  [1],  after  some  simplifications  to  make  the  system  untimed,  as  a 
lossy  channel  system.  Our  following  Maude  specification  is  adapted  from  theirs.  States  of  the 
system  are  represented  by  terms  of  sort  State  constructed  with  a  7-tuple  operator 
The  first  and  the  fifth  components  describe  the  current  status  of  the  sender  and  the  receiver, 
respectively.  The  second  and  the  sixth  are  Boolean  values  used  by  the  sender  and  the  receiver 
for  synchronization  purposes.  The  third  and  fourth  components  of  the  tuple  correspond  to 
the  two  lossy  channels  through  which  the  sender  and  the  receiver  communicate.  The  last 
component  keeps  track  of  the  name  of  the  last  transition  used  to  reach  the  current  state 
(hence  the  name  of  the  constants  of  sort  Label:  req,  snok,  sok,  . . . ).  We  only  make  explicit 
the  name  of  these  transitions  for  the  cases  we  are  interested  in  (namely,  those  required  by  the 
properties);  in  the  rest  of  the  cases,  none  is  used. 

For  a  more  detailed  description  of  the  protocol,  we  refer  to  [1].  In  Maude,  the  protocol 
can  be  specified  as  follows: 

mod  BRP  is 

protecting  DATA  . 

op  :  Sender  Bool  MsgL  MsgL  Receiver  Bool  Label  ->  State  [ctor]  . 

op  initial  :  ->  State  . 

var  S  :  Sender  . 
var  R  :  Receiver  . 
var  M  :  Msg  . 
vars  K  L  KL  :  MsgL  . 
vars  A  RT  :  Bool  . 
var  LA  :  Label  . 


eq 

initial  = 

< 

Os, 

false 

,  nil, 

nil,  0r,  false,  none  > 

rl 

[REQ]  :  < 

0s ,  A 

nil, 

nil, 

R,  false,  LA  >  => 

< 

Is,  false, 

nil,  nil,  R,  false,  req  >  . 

rl 

[K!fst]  : 

< 

Is, 

A,  K, 

L,  R, 

RT,  LA  >  => 

< 

2s, 

A,  K 

;  fst , 

L ,  R ,  RT ,  none  >  . 

rl 

[K!fst]  : 

< 

2s, 

A,  K, 

L,  R, 

RT,  LA  >  => 

< 

2s, 

A,  K 

;  fst , 

L,  R,  RT,  none  >  . 

rl 

[L?fst]  : 

< 

2s, 

A,  K, 

fst  ; 

L,  R,  RT,  LA  >  => 

< 

3s, 

A,  K, 

L,  R, 

RT,  none  >  . 

crl 

[L?-fst] 

<  2s,  A, 

K,  M  ; 

L,  R,  RT,  LA  >  => 

<  2s,  A,  K,  L,  R,  RT,  none  >  if  M  =/=  fst  . 
rl  [K! 0]  :  <  3s,  A,  K,  L,  R,  RT,  LA  >  => 

<  4s,  A,  K  ;  0,  L,  R,  RT,  none  >  . 

rl  [K! last]  :  <  3s,  A,  K,  L,  R,  RT,  LA  >  => 

<  7s,  A,  K  ;  last,  L,  R,  RT,  none  >  . 

rl  [K! 0]  :  <  4s,  A,  K,  L,  R,  RT,  LA  >  => 

<  4s,  A,  K  ;  0,  L,  R,  RT,  none  >  . 
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crl  [L?-0]  :  <  4s,  A,  K,  M  ;  L,  R,  RT,  LA  >  => 

<  4s,  A,  K,  L,  R,  RT,  none  >  if  M  =/=  0 

rl  [L?0]  :  <  4s,  A,  K,  8  ;  L,  R,  RT,  LA  >  => 


<  5s,  A,  K,  L,  R,  RT,  none  >  . 
rl  [SNOK]  :  <  4s,  A,  K,  nil,  R,  RT,  LA  >  => 

<  Os,  true,  K,  nil,  R,  RT,  snok  >  . 


rl 

[K! 1]  : 

< 

5s, 

A, 

K, 

L,  R,  RT, 

LA  >  => 

< 

6s, 

A, 

K 

I  1,  L,  R, 

RT,  none  >  . 

rl 

[K! last] 

:  < 

5s , 

A, 

K,  L,  R, 

RT,  LA  >  => 

< 

7s, 

A, 

K  ;  last, 

L ,  R ,  RT ,  none  > 

rl 

[K!  1]  : 

< 

6s, 

A, 

K, 

L,  R,  RT, 

LA  >  => 

< 

6s, 

A, 

K 

;  1,  L,  R, 

RT,  none  >  . 

crl  [L?-l]  :  <  6s,  A,  K,  M  ;  L,  R,  RT,  LA  >  => 

<  6s,  A,  K,  L,  R,  RT,  none  >  if  M  =/=  1 

rl  [SNOK]  :  <  6s,  A,  K,  nil,  R,  RT,  LA  >  => 

<  0s,  true,  K,  nil,  R,  RT,  snok  >  . 

rl  [K! last]  :  <  7s,  A,  K,  L,  R,  RT,  LA  >  => 

<  7s,  A,  K  ;  last,  L,  R,  RT,  none  >  . 
crl  [L?-last]  :  <  7s,  A,  K,  M  ;  L,  R,  RT,  LA  >  => 

<  7s,  A,  K,  L,  R,  RT,  none  >  if  M  =/= 

rl  [SOK]  :  <  7s,  A,  K,  last  ;  L,  R,  RT,  LA  >  => 

<  0s,  A,  K,  L,  R,  RT,  sok  >  . 

rl  [SDNK]  :  <  7s,  A,  K,  nil,  R,  RT,  LA  >  => 

<  0s,  true,  K,  nil,  R,  RT,  sdnk  >  . 

rl  [RFST]  :  <  S,  false,  fst  ;  K,  L,  Or,  RT,  LA  >  => 

<  S,  false,  K,  L  ;  fst,  lr,  true,  rfst  > 

rl  [K?fstL ! fst]  :  <  S,  A,  fst  ;  K,  L,  lr,  RT,  LA  >  => 

<  S,  A,  K,  L  ;  fst,  lr,  RT,  none  > 


rl 

[RNOK] 

:  < 

s, 

true,  nil, 

L, 

lr, 

RT,  LA 

>  => 

< 

s, 

true ,  nil , 

L, 

lr, 

false, 

rnok  > 

rl 

[RINC] 

:  < 

s, 

false,  0  ; 

K, 

L, 

lr,  RT, 

LA  >  => 

< 

s, 

false,  K, 

L  ; 

8, 

2r ,  RT, 

rinc  > 

rl  [ROK]  :  <  S,  false,  last  ;  K,  L,  lr,  RT,  LA  >  => 

<  S,  false,  K,  L  ;  last,  4r,  RT,  rok  >  . 

rl  [K?0L ! 0]  :  <  S,  A,  0  ;  K,  L,  2r,  RT,  LA  >  => 

<  S,  A,  K,  L  ;  0,  2r,  RT,  none  >  . 

rl  [RINC]  :  <  S,  false,  1  ;  K,  L,  2r,  RT,  LA  >  => 

<  S,  false,  K,  L  ;  1,  Br,  true,  rinc  >  . 

rl  [RNOK]  :  <  S,  true,  nil,  L,  2r,  RT,  LA  >  => 

<  S,  true,  nil,  L,  Or,  false,  rnok  >  . 

rl  [ROK]  :  <  S,  false,  last  ;  K,  L,  2r,  RT,  LA  >  => 

<  S,  false,  K,  L  ;  last,  4r,  RT,  rok  >  . 

rl  [RINC]  :  <  S,  false,  0  ;  K,  L,  3r,  RT,  LA  >  => 

<  S,  false,  K,  L  ;  0,  2r,  RT,  rinc  >  . 

rl  [K?1L ! 1]  :  <  S,  A,  1  ;  K,  L,  Br,  RT,  LA  >  => 

<  S ,  A ,  K ,  L  ;  1 ,  3r ,  RT ,  none  >  . 

rl  [ROK]  :  <  S,  false,  last  ;  K,  L,  3r,  RT,  LA  >  => 

<  S,  false,  K,  L  ;  last,  4r,  RT,  rok  >  . 

rl  [RNOK]  :  <  S,  true,  nil,  L,  3r,  RT,  LA  >  => 

<  S,  true,  nil,  L,  Or,  false,  rnok  >  . 

rl  [K?lastL ! last]  :  <  S,  A,  last  ;  K,  L,  4r,  RT,  LA  > 

<  S,  A,  K,  L  ;  last,  4r,  RT,  none 

rl  [empty]  :  <  S,  A,  last  ;  K,  L,  4r,  RT,  LA  >  => 


last  . 


=> 

>  . 
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<  S,  A,  nil,  L,  0r,  false,  none  >  . 

endm 

The  properties  that  the  system  should  satisfy  impose  requirements  typically  of  the  form 
that  certain  transitions  should  happen  before  certain  other  transitions  do.  To  formulate 
requirements  of  this  general  form,  we  declare  a  parametric  atomic  proposition,  tr(L),  that 
is  true  in  those  states  resulting  from  the  application  of  a  transition  labeled  by  L. 

mod  BRP-PREDS  is 
inc  SATISFACTION  . 
inc  BRP  . 

op  tr  :  Label  ->  Prop  [ctor]  . 

var  S  :  Sender  .  var  R  :  Receiver  . 
var  M  :  Msg  .  vars  K  L  :  MsgL  . 

vars  A  RT  :  Bool  .  vars  LA  :  Label  . 

eq  (<  S,  A,  K,  L,  R,  RT,  LA  >  |=  tr(LA))  =  true  . 
endm 

The  required  four  properties  can  then  be  expressed  in  Maude  as  follows: 

1.  [](tr(req)  ->  0  ("  tr(req)  W  (tr(sok)  \/  tr(snok)  \/  tr(sdnk)))); 

2.  [](tr(rfst)  ->  (~  tr(req)  W  (tr(rok)  \/  tr(rnok)))); 

3.  [](tr(req)  ->  ('  tr(sok)  W  tr(rok))); 

4.  [](tr(req)  ->  (~  tr(rnok)  W  (tr(snok)  \/  tr(sdnk)))). 

Note  that  both  negations  and  implications  appear  in  these  formulas.  Therefore,  for  Theorem  1 
to  apply,  we  must  ensure  that  the  abstraction  we  define  is  strict,  i.e.,  that  it  preserves  the  atomic 
propositions. 

The  system  is  infinite  but  one  easily  realizes,  by  running  some  small  examples,  that  the 
contents  of  the  channels  are  always  of  the  form  m\m*2,  where  ni\,  m2  range  over  {first, 
last,  0,  1}.  Therefore  we  can  use  the  idea  of  merging  adjacent  equal  messages,  which  can 
be  specified  by  means  of  the  following  two  equations,  to  collapse  the  set  of  states  to  a  finite 
number. 

eq  <  S,  A,  KL  ;  M  ;  M  ;  K,  L,  R,  RT,  LA  >  =  <  S ,  A ,  KL  ;  M  ;  K,  L ,  R,  RT,  LA  >  . 
eq  <  S,  A,  K,  KL  ;  M  ;  M  ;  L,  R,  RT,  LA  >  =  <  S ,  A ,  K,  KL  ;  M  ;  L ,  R,  RT,  LA  >  . 

Note  that  we  need  not  prove  that  the  contents  of  the  channels  are  actually  of  the  form  mjmj,. 
This  is  only  used  as  an  intuition  to  guide  us  in  the  choice  of  the  abstraction  equations,  which 
can  still  be  used  regardless  of  the  validity  of  that  claim  (though  they  may  not  be  very  useful 
if  the  claim  is  not  really  true). 

It  is  immediate  to  check,  since  the  abstraction  equations  do  not  affect  the  label  of  a  state, 
that  only  states  satisfying  the  same  atomic  propositions  are  identified.  We  therefore  meet 
the  requirements  of  Theorem  1.  And  since  the  equations  apply  to  disjoint  components  of  the 
state  and  there  is  only  a  finite  number  of  messages  that  can  be  removed,  we  also  have  the 
Church-Rosser  and  termination  properties. 

What  about  the  deadlock  difficulty?  By  inspection  of  the  lefthand  sides  of  the  rules  in 
BRP,  it  is  easy  to  see  that  the  equation 

enabled(<  S,  A,  KL  ;  M  ;  K,  L,  R,  RT,  LA  >)  =  true 
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does  not  hold  (consider  the  case  in  which  S  is  equal  to  ®s)  for  the  enabled  operator  as  defined 
in  Section  6,  so  that  the  rule 

rl  <  S,  A,  KL  ;  M  ;  K,  L,  R,  RT,  LA  >  =>  <  S,  A,  KL  ;  M  ;  K,  L,  R,  RT,  LA  >  . 

should  be  added;  similarly  for  the  second  equation  defining  the  abstraction.  Notice  that  this 
is  not  the  best  we  can  do.  By  direct  inspection  of  the  rules,  it  is  easy  to  check  that,  except  for 
the  case  in  which  S  is  equal  to  ®s,  all  terms  of  those  forms  are  enabled.  Hence,  instead  of  the 
previous  one,  we  only  add  the  rules 


rl 

[deadlock] 

:  < 

Os, 

A, 

KL 

;  M  ;  K,  L, 

R, 

RT, 

LA  >  => 

< 

Os, 

A, 

KL 

;  M  ;  K  ,  L 

,  R, 

RT, 

LA  >  . 

rl 

[deadlock] 

:  < 

Os, 

A, 

K, 

KL  ;  M  ;  L, 

R, 

RT, 

LA  >  => 

< 

Os, 

A, 

K, 

KL  ;  M  ;  L, 

R, 

RT, 

LA  >  . 

Finally,  the  last  proof  obligation  to  check  is  that  of  coherence  and  this,  too,  happens  to 
fail.  Consider  for  example  the  term 

<  2s,  true,  nil,  fst  ;  fst,  Or,  true,  none  > 

This  term  can  be  rewritten  using  the  first  of  the  [L?f  st]  rules  to  a  term  f  of  the  form 

<  3s,  true,  nil,  fst,  Or,  true,  none  > 

However,  if  we  had  first  reduced  it  using  the  equations  we  would  have  got 

<  2s,  true,  nil,  fst,  Or,  true,  none  > 

which  can  no  longer  be  rewritten  to  f,  or  to  any  other  term  provably  equal  to  it  (an  extra 
message  fst  has  been  consumed  following  this  way).  To  fix  this  problem,  the  following  rule 
must  be  added: 

rl  [L?fst ’ ]  :  <  2s,  A,  K,  fst  ;  L,  R,  RT,  LA  >  => 

<  3s,  A,  K,  fst  ;  L,  R,  RT,  none  >  . 

Note  that  this  rule  does  not  raise  a  new  coherence  problem. 

The  same  situation  occurs  with  all  those  other  rules  in  which  a  message  is  removed  from 
one  of  the  lists;  the  solution  is  the  same  in  all  cases,  resulting  in  the  addition  of  the  following 
rules: 


crl  [L?-fst ' ]  :  <  2s,  A,  K,  M  ;  L,  R,  RT,  LA  >  => 

<  2s,  A,  K,  M  ;  L,  R,  RT,  none  >  if  M  =/=  fst  . 

crl  [L?-0 ' ]  :  <  4s,  A,  K,  M  ;  L,  R,  RT,  LA  >  => 

<  4s,  A,  K,  M  ;  L,  R,  RT,  none  >  if  M  =/=  0  . 

rl  [L?0 ’ ]  :  <  4s,  A,  K,  0  ;  L,  R,  RT,  LA  >  =>  <  5s,  A,  K,  0  ;  L,  R,  RT,  none  >  . 

crl  [L? - 1 ]  :  <  6s,  A,  K,  M  ;  L,  R,  RT,  LA  >  =>  <  6s,  A,  K,  M  ;  L,  R,  RT,  none  > 
if  M  =/=  1  . 

crl  [L?-last]  :  <  7s,  A,  K,  M  ;  L,  R,  RT,  LA  >  => 

<  7s,  A,  K,  M  ;  L,  R,  RT,  none  >  if  M  =/=  last  . 

rl  [SOK]  :  <  7s,  A,  K,  last  ;  L,  R,  RT,  LA  >  =>  <  Os,  A,  K,  last  ;  L,  R,  RT,  sok  >  . 

rl  [RFST ’ ]  :  <  S,  false,  fst  ;  K,  L,  Or,  RT,  LA  >  => 

<  S,  false,  fst  ;  K,  L  ;  fst,  lr,  true,  rfst  >  . 

rl  [K?fstL ! fst ’ ]  :  <  S,  A,  fst  ;  K,  L,  lr,  RT,  LA  >  => 

<  S,  A,  fst  ;  K,  L  ;  fst,  lr,  RT,  none  >  . 

rl  [RINC’]  :  <  S,  false,  0  ;  K,  L,  lr,  RT,  LA  >  => 
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<  S,  false,  Q  ;  K,  L  ;  0,  2r,  RT,  rinc  >  . 
rl  [ROK’]  :  <  S,  false,  last  ;  K,  L,  lr,  RT,  LA  >  => 

<  S,  false,  last  ;  K,  L  ;  last,  4r,  RT,  rok  >  . 


rl 

[K?0L ! 0 ’ ] 

:  < 

S,  A,  0 

;  K,  L , 

,  2r,  RT,  LA  >  => 

< 

S,  A,  0 

;  K, 

,  L 

;  0,  2r,  RT,  none  >  . 

rl 

[RINC’]  : 

<  s, 

false , 

l  ; 

K, 

L,  2r ,  RT,  LA  >  => 

<  s, 

false , 

l  ; 

K, 

L  ;  1,  3r,  true,  rinc  > 

rl  [ROK’]  :  <  S,  false,  last  ;  K,  L,  2r,  RT,  LA  >  => 

<  S,  false,  last  ;  K,  L  ;  last,  4r,  RT,  rok  >  . 

rl  [RINC’]  :  <  S,  false,  0  ;  K,  L,  3r,  RT,  LA  >  => 

<  S,  false,  0  ;  K,  L  ;  0,  2r,  RT,  rinc  >  . 

rl  [K?1L ! 1 ’ ]  :  <  S,  A,  1  ;  K,  L,  3r,  RT,  LA  >  => 

<S,  A,  1  ;  K,  L  ;  1,  3r,  RT,  none  >  . 

rl  [ROK’]  :  <  S,  false,  last  ;  K,  L,  3r,  RT,  LA  >  => 

<  S,  false,  last  ;  K,  L  ;  last,  4r,  RT,  rok  >  . 

rl  [K?lastL ! last ’ ]  :  <  S,  A,  last  ;  K,  L,  4r,  RT,  LA  >  => 

<  S,  A,  last  ;  K,  L  ;  last,  4r,  RT,  none  >  . 


We  then  get  our  desired  executable  abstraction  module  ABSTRACT-BRP- CHECK  by  import¬ 
ing  BRP-CHECK  and  including  the  abstraction  equations,  the  two  [deadlock]  rules,  and  the 
above  rules. 

We  can  then  model  check  the  abstract  system  specified  in  ABSTRACT-BRP-CHECK  and  verify 
that  all  the  properties  hold  in  it.  Since  all  of  our  proof  obligations  are  fulfilled,  we  can  soundly 
infer  that  they  hold  in  the  concrete  system,  too. 


Maude>  red  modelCheck(initial , 
result  Bool:  true 


[]  (tr(req)  -> 

0  (~  tr(req)  W  (tr(sok)  \/  tr(snok)  \/  tr(sdnk))))) 


Maude>  red  modelCheckCinitial ,  [](tr(rfst)  ->  (~  tr(req)  W  (tr(rok)  \/  tr(rnok)))))  . 
result  Bool:  true 


Maude>  red  modelCheckCinitial,  [](tr(req)  ->  ("  tr(sok)  W  tr(rok))))  . 
result  Bool:  true 


Maude>  red  modelCheckCinitial,  trCreq)  ->  C~  trCrnok)  W  CtrCsnok)  \/  trCsdnk))))  . 
result  Bool:  true 
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